v2.9.1

Security Vulnerability Fixes

• Security Vulnerability: Fixed a high‑risk vulnerability where passwords were transmitted in plaintext via the MaxKB reset_password interface (CVE‑2026‑45413).
• Security Vulnerability: Fixed authenticated SSRF risks caused by missing validation of callback URLs during workflow template import/update (CVE‑2026‑45412).

Bug Fixes

• Agent: Fixed the issue where reply messages were cleared and a network error appeared after the loop count exceeded the maximum limit in agents with infinite loops.
• Agent: Fixed the issue where the API returned no data and reported a read‑timeout error under stream=false when calling an agent containing infinite‑loop nodes via API.
• Agent: Fixed image generation failures after adding parameters for the Gemini image generation model (#5233).
• Agent: Fixed incorrect text descriptions for the Image Understanding node, and set the end‑frame image of the Image‑to‑Video node as non‑required.
• Agent: Fixed creation failures when importing agents from the Template Center (#5231).
• Agent: Fixed the issue where unselected knowledge bases were still retained after unchecking associated knowledge bases and saving with another selected knowledge base in knowledge base retrieval nodes.
• Agent: Fixed the issue where associated agents were not displayed in the dependent resource list of reranking models used for multi‑way recall (#5249).
• Agent: Fixed the issue where a new tab was not opened when accessing the agent page by holding Ctrl and clicking the agent panel.
• Tools: Fixed the issue that startup parameters of newly created tools required manual saving to use default values.
• Workspace: Fixed the issue that users not displayed could not be searched when adding members with a large user base.
• Resource Management: Fixed the inability to search resources by creator.
• Shared Resources: Fixed the inability to search resources by creator.