Forgejo v16.0: SSRF Protection, EXIF Stripping Removed, Granular Repository Notifications
Forgejo v16.0 has been released. The new version of the self-hosted open-source Git platform, released on 16 July 2026, brings several security improvements, removes a previously introduced feature due to licensing issues, and expands notification options.
This article covers some of the most important changes. A complete list of changes is available in the official release notes.
Breaking Changes
Hardening Mirrors Against SSRF
Administrators can control which hosts Forgejo is allowed to access for Git mirroring through the configuration options [migrations].ALLOWED_DOMAINS, [migrations].LOCKED_DOMAINS, and [migrations].ALLOW_LOCALNETWORKS.
Previously, there were some edge cases where these restrictions were not effective. Several of these cases have been fixed in this release.
One of these cases involved HTTP(S) access to repositories. Git automatically followed HTTP redirects, which could bypass the configured domain restrictions.
Starting with Forgejo v16.0, http.followRedirects=false is set to prevent Git from automatically following these redirects.
Mirrors pointing to remote Forgejo repositories that have been renamed or transferred to another owner will now result in errors. These mirrors must be manually updated to the new repository location.
EXIF Stripping Removed
Forgejo v13.0 introduced the ability to remove EXIF metadata from images uploaded as user avatars.
However, a licensing mistake was made and Forgejo relied on an AGPL-licensed library for this functionality. To ensure license compliance, this feature has now been removed.
The Forgejo team is currently looking into alternative solutions.
Trusted Proxies in Containers
Forgejo containers previously used the following default setting:
REVERSE_PROXY_TRUSTED_PROXIES = *
This default has been changed because it could create a security risk under certain configurations.
If ENABLE_REVERSE_PROXY_AUTHENTICATION=true was enabled and the Forgejo port was directly accessible from untrusted networks, an unauthorized user could use the X-WebAuth-User HTTP header to impersonate any user.
This only affects specific configurations. Users running Forgejo in containers with reverse proxy authentication enabled must now explicitly configure [security].REVERSE_PROXY_TRUSTED_PROXIES.
Example:
FORGEJO__security__REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X
or in app.ini:
[security]
REVERSE_PROXY_TRUSTED_PROXIES=127.0.0.0/8,::1/128,172.16.X.X/X
New Features
Granular Repository Watch Settings
Forgejo v16.0 significantly improves repository notification management.
Previously, users could only fully watch or ignore a repository. Users can now choose which parts of a repository they want to receive notifications for.
The current categories are:
- Issues
- Pull Requests
- Releases
The new notification system also provides a foundation for more detailed controls in future versions.
More Improvements
Besides the new watch settings, Forgejo v16.0 includes several smaller improvements:
- Repository migrations now show their progress
- Smaller avatar variants reduce bandwidth usage and improve loading times
- Adding team members to organizations has become easier
- Git now checks incoming objects for inconsistencies to help prevent repository corruption
- Automatically generated Git hook examples are no longer duplicated in every repository, saving storage space
- Pull Requests receive improvements to commit views and review comments
- Forgejo Actions gains new features such as prioritized workflow runs and additional API support
Upgrade Notes
Forgejo recommends creating a complete backup of the instance before upgrading. The breaking changes mainly affect:
- Mirror configurations pointing to renamed or transferred repositories
- Container installations with
ENABLE_REVERSE_PROXY_AUTHENTICATION=true - Installations that previously used EXIF stripping for avatars
LTS: v15.0.5
At the same time, Forgejo v15.0.5 was released as an LTS version. It will continue to receive support until July 2027.
Conclusion
Forgejo v16.0 focuses mainly on security improvements and giving users and administrators more control.
The hardened mirror rules improve protection against SSRF attacks, while the new notification options make daily usage more flexible. The release also includes many smaller improvements that will be especially useful for larger Forgejo installations.