CVE-2021-41238

Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings. However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed. If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted. If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted. Patched versions (1.7.26) are available both on Nuget.org and as a tagged releas