---
title: '0.12.6'
---

Released: *2026-05-01*

# Summary

This is a security release for the Prosody 0.12.x old stable series. It
addresses multiple security issues, some memory leaks and some smaller bugs
which have been fixed since the previous release.

Full details about the security vulnerabilities can be found in our [security
advisory](https://prosody.im/security/advisory_735dd9d3/). We encourage all
Prosody operators on 0.12.5 or earlier to upgrade to 0.12.6 or 13.0.5 as soon
as possible, or to review the advisory and implement appropriate mitigations.

**Note:** Support for the 0.12.x series ends in June 2026. This means it will
no longer receive any fixes or updates, even for security issues. It is likely
that 0.12.6 will be the last release from this series. Check our guide on
[upgrading Prosody](https://prosody.im/doc/upgrading) and the release notes
for 13.0.0 before you upgrade to the 13.0.x series.

## Changes

Summary of all changes in this release:

## Security

- mod\_proxy65: Consistently apply authorization checks
- mod\_proxy65: Don't proxy data until after bytestream activation
- mod\_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
- Add limit for stanza max child elements
- mod\_c2s: Remove timers immediately on disconnection
- net.server\_epoll: Clean up timers after disconnection

## Fixes and improvements

- Fix memory leak in module API

## Minor changes

- util.prosodyctl.check: Improve error handling of UDP socket setup (for [#1803](https://issues.prosody.im/1803))


## Download

As usual, download instructions for many platforms can be found on our [download page](https://prosody.im/download)

If you have any questions, comments or other issues with this release, [let us know!](https://prosody.im/discuss)