March 2026 patch release 1.8.14 - EOL soon

IanM

Flarum `1.8.14` Released 🎉

We're shipping another maintenance release for the Flarum 1.x series. This one includes a security fix for flarum/nicknames, a solid batch of bug fixes, meaningful performance improvements, and some welcome changes to the GDPR extension.

⚠️ Flarum 1.x end-of-life is coming

This release marks a turning point for the 1.x series. It is likely one of the last regular releases.

With Flarum 2.0 approaching its Release Candidate phase, we are shifting 1.x into an almost-EOL state with immediate effect:

❌ No new features, improvements, or tweaks are planned for 1.x
❌ Non-security bug fixes will generally not be backported
⚠️ Security vulnerabilities will be investigated and addressed where possible — but we want to be honest: the aging dependency stack (Flarum 1.x runs on Laravel 8, which is itself well into EOL) means that some security issues may simply not be fixable on this branch
✅ Flarum 2.0 is where all active development, security work, and long-term support is happening

The official EOL date for 1.x has not yet been set, but it will be clearly communicated in advance. The current plan is to officially EOL Flarum 1.x 12 months after the 2.0 stable release. In the meantime, we strongly encourage all 1.x forum admins to start planning their upgrade to Flarum 2.0.

🚀 If you haven't started evaluating Flarum 2.0 yet, now is the time. Beta.8 — the last beta before the RC phase — is due in approximately two weeks.

🚨 A note on Flarum 2.0 — action required for extension developers

Beta.8 is due in approximately two weeks, and it will be the last beta before the RC (Release Candidate) phase.

Here's what the RC phase means in practice:

🔶 Beta (where we are now) — APIs are still in flux. We can still make changes to core to accommodate extension needs.
🔷 Release Candidate — The API is frozen. No new features, no breaking changes. Only critical bug fixes are accepted.
🟢 Stable 2.0.0 — RC with no blockers = stable release.

For extension developers, this is your most important window. Once we enter RC, the ability to adapt the core API to your extension's needs closes. If you're working on a 2.0 update and find that core is getting in your way — an API is too rigid, something is missing, an interface is awkward — now is the time to tell us. Open a discussion here or file an issue on GitHub. We are actively listening and we want to help you ship compatible extensions alongside 2.0 stable.

📣 Please test your extensions against beta.7 (and shortly, beta.8) and let us know what you find. Every compatibility report before RC is an opportunity to fix something permanently. After RC, it has to wait for 2.1.

🌍 Help translate Flarum 2.0

Flarum 2.0 brings a lot of new strings, and getting them translated before stable is a huge community effort. If you speak a language other than English, your help is needed — even a few strings reviewed or translated makes a difference.

Translations for Flarum 2.0 are managed on Weblate: weblate.rob006.net/projects/flarum2

You don't need to be a developer — if you can read and write your language, you can contribute. Every little helps. 🙏

🔐 Security fix — `flarum/nicknames` `v1.8.3` (CVE-2026-30913)

If you use the flarum/nicknames extension, updating to 1.8.3 is strongly recommended.

A medium-severity vulnerability was discovered and responsibly disclosed via the SBB Community bug bounty programme. When flarum/nicknames is enabled, a user could set their nickname to a string that email clients interpret as a hyperlink — for example a bare domain name (nasty.com) or markdown link syntax ([CLICK](https://evil.com)). The nickname is included verbatim in plain-text notification emails, potentially misleading recipients into visiting attacker-controlled URLs.

Variant 1 (autolink) — a nickname like nasty.com is auto-linked by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird)
Variant 2 (markdown) — a nickname like [CLICK](https://evil.com) is rendered as a clickable link by email clients that auto-render markdown in plain text (e.g. Apple Mail, Thunderbird)

The fix adds validation in flarum/nicknames to reject nicknames containing characters that could be misinterpreted in email contexts, while preserving legitimate nicknames like Jane.Smith.

The default username-based display name driver is not affected — it already constrains values to [a-zA-Z0-9_-]+. Any third-party display name driver that permits arbitrary characters should be reviewed.

🙏 Thanks to tank0 for reporting this responsibly via Intigriti, and to @gianniguida and @Davetodave178 for helping with the fix and verification.

⚡ Performance improvements

This release includes several under-the-hood optimisations. Nothing you'll see directly — but your server will thank you.

⚡ Notification counts cached — was a DB query on every page load; now cached for 5 minutes and invalidated automatically when something changes (including when you delete all notifications).
⚡ Auth last-seen write eliminated — was an unconditional DB write on every authenticated request; now only writes when the data has actually changed.
⚡ Scheduler timestamp moved to cache — was a DB write every ~1 minute; now stored in the cache layer instead.

Together, these changes add up to noticeably fewer database operations — especially on sites with active users.

💡 Running Redis? The gains stack up significantly. fof/redis v1.1.6 pairs perfectly with these core improvements. It caches Flarum's forum settings in Redis with a three-layer chain — per-request in-process cache, then Redis, then the database — so settings are read from the database at most once per Redis TTL, and from Redis at most once per request regardless of how many times settings->get() is called. In production, this alone can reduce Redis egress from settings reads by over 95%. On top of that, fof/redis now auto-detects phpredis (the native PHP extension) and uses it automatically when available, enabling persistent connections that reuse the socket across requests within the same PHP-FPM worker — significantly reducing connection overhead at scale. If you're running Redis and haven't updated fof/redis recently, now is a great time.

🐛 Bug fixes

HTTP 405 "Method Not Allowed" pages now show the correct message ("This page does not support that request method.") instead of the generic "An error occurred" fallback.
PHP warnings in restricted environments — a handful of PHP notices/warnings that could appear on certain hosting configurations have been resolved.
Less boolean custom functions — a regression where custom Less functions returning boolean values were not handled correctly has been fixed.
Extension Manager — references to the discontinued Extiverse marketplace have been removed.

🔒 GDPR extension — `v1.8.2`

This release includes a significant security and compliance update to the flarum/gdpr extension:

One-time confirmation links — the erasure confirmation token is now invalidated after use. Previously, a user's confirmation email link could be re-used indefinitely; it is now a true one-time link.
Processed request guard — revisiting a confirmation link for an already-processed or manually-handled erasure request now returns a proper error instead of silently resetting its status.
Confirmation IP logging — the IP address used to confirm an erasure request is now stored for audit purposes.
Automatic IP purge — a new scheduled command (gdpr:clear-confirmation-ips) automatically nulls stored confirmation IPs after 90 days, keeping data retention proportionate.
Erasure modal timestamps — the admin process-erasure modal now shows the requested-at, confirmed-at, and eligible-for-auto-processing dates.

📦 Versions released

flarum/core — 1.8.14
flarum/nicknames — 1.8.3 ⚠️ security fix
flarum/extension-manager — 1.0.8
flarum/suspend — 1.8.6
flarum/gdpr — 1.8.2

🚀 How to update

composer update

As always, back up your database before updating, and test on a staging environment first if possible.

📋 Full changelog

Core (`flarum/core`)

Fixed

Show correct error message for HTTP 405 Method Not Allowed responses by @IanM #4417
Fix PHP warnings in restricted environments by @IanM #4336
Fix Less boolean custom functions returning incorrect values by @IanM #4405
Invalidate unread notification count cache when all notifications are deleted by @IanM #4391

Performance

Eliminate redundant DB writes in auth middleware and cache notification counts by @IanM #4365
Store scheduler last-run timestamp in cache instead of database by @IanM #4363

Added

Fire ApplicationBooted event after all service provider boot callbacks complete by @IanM #4358

Nicknames (`flarum/nicknames`)

Security

Validate nicknames to prevent display name injection in notification emails (CVE-2026-30913) GHSA-3c4m-j3g4-hh25

Extension Manager (`flarum/extension-manager`)

Changed

Remove Extiverse marketplace references by @IanM #4395

Suspend (`flarum/suspend`)

Changed

Build missing JS typings by @IanM #4337

GDPR (`flarum/gdpr`)

Fixed / Security

Invalidate erasure confirmation token after use (one-time link) by @IanM flarum/gdpr#70
Guard against re-confirming already-processed erasure requests by @IanM flarum/gdpr#70

Added

Log confirming IP address on erasure requests for audit purposes by @IanM flarum/gdpr#70
Scheduled command to purge confirmation IPs after 90 days by @IanM flarum/gdpr#70
Show requested-at, confirmed-at, and eligible-for-auto-processing dates in erasure modal by @IanM flarum/gdpr#70

huoxin

IanM The current plan is to officially EOL Flarum 1.x 12 months after the 2.0 stable release.

The 12 months is suppose to be the 'Grace Period'?

2.
Cant talk much on RTL, cuz I dont use it. But there are extension for it: https://flarum.org/extension/irmmr/flarum-ext-rtl Hopefully there will be an upgrade to 2.x

3.
This extension does the job: https://flarum.org/extension/fof/linguist

KBExit

huoxin yeah, that touches everything... Lol

CyberGene

SHANKS Extension-Centric Migration: Platforms live or die by their extensions. It is difficult to ask users to migrate to 2.0 when a large percentage of essential extensions remain incompatible. I suggest a 'Grace Period' for 1.x support that is tied to an extension migration audit, ensuring the ecosystem is ready before the Core is finalized.

Indeed, over the weekend I tested 2.0 beta 7 upgrade over a copy of my forum. While it worked, after a whole day of various struggles, I was a bit disappointed to realize that a lot of the extensions we use are not yet ported to 2.0. I hope the Flarum team will focus on upgrading all existing extensions soon after the release.

clarkwinkelmann

CyberGene this is the chicken and egg problem... Extension developers like myself are waiting for Flarum 2.x to be finalized before putting in the work to update extensions.

If the Flarum team waits for more extensions to be updated before releasing Flarum 2.0, it will never release...

Not much point looking at the state of extensions right now. Once RC and stable drop it will be a completely different landscape.

While I will try to port some of my extensions for 2.x RC, I will still wait for the final release before doing most of the work.

My strategy to make the most out of my limited time is:

Only support one Flarum version (except for some of my premium extensions). Once I release a 2.x-compatible version, the 1.x-compatible version will be in security maintenance only. If I upgrade early and Flarum 2.x gets delayed, I will end up unable to provide any update or bugfix for 1.x without extra work.
Delay the 2.x version of complex extensions as much as possible. Those extensions use features that aren't part of the Flarum API and can/have been broken by "minor" fixes before.
Work on as many extensions as possible at the same time, so this means delaying some of the easiest extensions as well.

KBExit

clarkwinkelmann thank you for all you do Clark and thank you for explaining it!

GreXXL

Adding to what has been said:

A majority of (major) FoF extensions have been already been ported. Some previously needed extensions like database-queues or realtime are now shipping with Flarum by default.
The Foundation has financially supported some extensions to be taken over and updates for Flarum v2 that have been written by developers who are no longer active (eg. Rich Text or Categories). We will continue this process with a couple of other extensions.
After that process we will have to give time for developers to adopt their extensions. Its not the Flarum or FoF team that can do the transition of all Flarum ecosystem extensions.

You can post in the appropriateExtensions discussions to let developers know of the importance of a Flarum 2 version of their extensions - if this has not already been done or the developers - like Clark - has announces his plans for updating his extensions. Also if some extensions you require are not being ported by the previous developer and won't be taken over by FoF you can still open aProposals to revive said extension for Flarum v2 and it might be picked up by someone else (maybe with the help of aBounty).

Wlork

clarkwinkelmann Extension developers like myself are waiting for Flarum 2.x to be finalized before putting in the work to update extensions.

I asked you on one of your extension discussion. So, glad to hear it 🙂

GreXXL You can post in the appropriateExtensions discussions to let developers know of the importance of a Flarum 2 version of their extensions - if this has not already been done or the developers - like Clark - has announces his plans for updating his extensions.

Yes.

And I hope that our requests in Extensions will be among the developers' priorities. People like me manage a forum, so it would be ideal if we want to adopt v2.0 quickly.

SHANKS

clarkwinkelmann This is a problem with software that relies heavily on external plugins.

Upgrades become a disaster.

ernestdefoe

SHANKS that’s slowly starting to be most forum software.

KaSTalana

Updated my Forum to 1.8.14, Extension manager 1.0.7. I want to install some new extensions, but all of them is signed "Doesn't work with Flarum v1.8.14".

Should I wait until the needed extensions are be tested by developers or I can install them?

I ask, because I accidentally installed Welcome Login extension and it works. But it's also signed "Doesn't work with Flarum v1.8.14" at the extension's webpage.

KBExit

KaSTalana from my experience, that flag is merely a suggestion and not gospel. Something may have tripped it but the extension still works. In other cases, it is 100% accurate.
Composer will tell you if there is a conflict with dependencies and you can check for issues and remove the extension if need be.

anoedo

IanM
Does this mean that after Flarum officially upgrades to version 2.0, maintenance and support for the original 1.x version will continue for another 12 months, after which the 1.x version will be officially deprecated?

I’m asking this because I want to know how much time I have to gradually upgrade. This is actually quite bad news for me—I’m not a technical professional, and I just finished setting up my Flarum forum (version 1.8) three months ago. I’m still slowly optimizing it, and now I’m being told that the 1.x version will soon be deprecated and that I must upgrade to version 2.0… I’m not sure how difficult this migration or upgrade process will be. What I’m most worried about is whether, due to my lack of expertise, I might end up losing forum data or even making the site inaccessible. Once Flarum 2.0 is officially confirmed, will the team provide a guide to help users smoothly perform the upgrade?

IanM

anoedo Flarum 1.x is currently on "life support", but still supported. We have not yet set an official End of Life date.

Flarum 2.0 will release this summer. A good number of extensions are already updated to support it, with more coming ahead of the official release. From our testing so far, the upgrade process is actually quite simple. All data is carried over (although we always recommend taking a backup of your database before installing any update).

We will be providing step-by-step guides to upgrade from the latest 1.x version to 2.0 of course.

The best thing you can do is to keep on doing what you're already doing - tweaking Flarum to your liking and needs, keep Flarum and all extensions up to date, and when the time comes for 2.0 you will be able to upgrade absolutely fine. Plus, we are always available here for any additional support you might need 🙂

chulingera2025

Hi @IanM

I’ve recently been dedicating some time to the Flarum 2.x translation work and have completed about 20% of the pending strings. However, I’ve encountered a significant challenge regarding terminology consistency, which I believe many other translators might also be facing.

In languages like Chinese, a single English term can have multiple valid translations depending on the context. For example, "Discussions" is often translated as either "主题" (Topic) or "讨论" (Discussion). Without a unified standard, the user interface feels fragmented.

(This might have been discussed during the long history of Flarum's localization, but I haven't been able to find it yet! QAQ)

In the Chinese context, these two terms carry distinct nuances:

"主题" (Topic/Thread) is the traditional forum standard (like Discuz!). It emphasizes a static "archive" or a formal post structure.

"讨论" (Discussion), on the other hand, feels more modern, dynamic, and social—aligning better with Flarum's "real-time" and "stream-like" nature.

While Weblate provides a "Glossary" feature, I find it somewhat clunky for active coordination. Relying solely on Weblate comments for discussion is quite inefficient and often slows down the translation pace.

I’m curious about the historical workflow of the translation community. Is there a dedicated discussion group (e.g., Discord, Telegram, or a specific forum thread) for different language teams to sync on terminology?

I would love to see a more centralized space for language-specific discussions. It would greatly improve both the quality and efficiency of our localization efforts, especially as we move deeper into the 2.x era. I'm keen to connect with other Chinese translators to standardize our "official" glossary.

Maybe we could enable administrators to globally swap certain terms via a plugin, which might help ensure consistency across the entire site.（Reduce inconsistencies across different extensions） 😉

huoxin

chulingera2025 Probably you can take a look at the unofficial chinese forum for flarum https://discuss.flarum.org.cn
The forum is not very active, but you can join the group listed in the banner, a few of the chinese language pack maintainer shoud in the group?