If you find a potential security vulnerability please email security@ckan.org, rather than creating a public issue on GitHub.
We aim to respond to all valid reports within three working days.
Security updates are offered for the 2 most recent minor CKAN releases. It is critical to always run the latest patch release for a minor version. To find out the currently supported version and learn more about CKAN releases see here:
https://docs.ckan.org/en/latest/maintaining/releases.html
Fixed security vulnerabilites are assigned a CVE and registered using GitHub Security Advisories, and also included in the CHANGELOG.rst.
Again, only the latest patch release contains all security patches applied so please ensure your CKAN instance is running on a supported version to avoid exposing your users and your data.