Zebra 4.4.1

This release fixes one critical security issue. We recommend node operators update to 4.4.1.

Security

• Reject V5 transparent inputs signed with SIGHASH_SINGLE (or SIGHASH_SINGLE|ANYONECANPAY) when the input has no transparent output at the same index (GHSA-pvmv-cwg8-v6c8). Follow-up to GHSA-cwfq-rfcr-8hmp.

Thanks to @sangsoo-osec, @zmanian, and @fivelittleducks for reporting the issue.

Zebra 4.4.0

This release includes several security and bug fixes. We recommend node operators update to 4.4.0.

Security

• Fix sigops counting (GHSA-jv4h-j224-23cc).
• Consensus-divergence defense-in-depth follow-up to GHSA-8m29-fpq5-89jj: the V5 sighash callback now substitutes a per-call CSPRNG-derived sighash when rejecting undefined ZIP 244 hash-type bytes, so any peer-supplied signature fails to verify and the block is rejected in agreement with zcashd (GHSA-gq4h-3grw-2rhv, #10524).
• Allocation amplification in inbound network deserializers: validate coinbase Sapling spend count, coinbase data size, and Equihash solution size before allocating, and enforce the 160-entry cap in read_headers (GHSA-438q-jx8f-cccv, #10525, #10526, #10527, #10528).
• Validate transparent input/output alignment before script verification, so malformed verifier requests return an error instead of panicking or verifying against a misaligned previous output (#10510).
• RPC hardening (#10523):
  • Cookie file is now written with explicit 0600 permissions on Unix; symlinks at the cookie path are rejected (GHSA-jg86-rwhm-fhg4).
  • HTTP request bodies are bounded before allocation, with the limit derived from MAX_BLOCK_BYTES to accommodate submitblock (GHSA-8r29-5wjm-jgvx).
  • gRPC indexer streams use try_send to drop slow subscribers instead of backpressuring the server; the buffer was reduced from 4000 to 64. Well-behaved clients are unaffected (GHSA-826r-gfq8-x79q).
  • getrawtransaction reuses the caller-provided block hash and best-chain flag from the initial query, fixing a TOCTOU race against a third state lookup (GHSA-w23c-6rpp-ff87).
• Disconnect peers that persistently return empty or bad FindBlocks / FindHeaders responses, freeing fanout slots for useful peers. Stall classification happens inside PeerSet::route_p2c, so coverage spans both request types without a separate per-IP guard.

Added

• nTx (per-block transaction count) field in the verbose getblock RPC response (#10498).
• Public benchmark dashboard at zebra.zfnd.org/dev/bench covering Groth16, Halo2, Sapling, RedPallas, block, and transaction benchmarks (#10444).

Changed

• Refreshed the Sentry/OpenTelemetry observability stack (#10490): Sentry SDK upgraded to 0.47 (transport switched from reqwest to ureq); Sentry events now carry SENTRY_ENVIRONMENT, git.ref, git.sha, and CI context (CI_PR_NUMBER, CI_TEST_ID, GITHUB_*) when present; opentelemetry is now part of the default-release-binaries feature set, with export still gated on OTEL_EXPORTER_OTLP_ENDPOINT (or the tracing config); and zebrad::sentry is now crate-private.
• Upgraded the librustzcash crate cohort (equihash 0.3, orchard 0.13, sapling-crypto 0.7, zcash_address 0.11, zcash_encoding 0.4, zcash_keys 0.13, zcash_primitives 0.27, zcash_proofs 0.27, zcash_protocol 0.8, zcash_transparent 0.7) to the 2026-04 release wave, which migrates off the yanked core2 crate to corez 0.1.1 and clears RUSTSEC-2026-0105 (#10522).
• Bumped workspace MSRV from 1.85.0 to 1.85.1, required by the new librustzcash releases. Also bumped zebrad MSRV from 1.89 to 1.91, required by cargo-platform 0.3.3 (transitively via vergen-git2).

Fixed

• getrawtransaction now reports correct confirmations (#10507).

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@alchemydc, @arya2, @daira, @dependabot[bot], @gustavovalverde, @oxarbitrage, @schell and @upbqdn

Zebra 4.3.1

Zebra 4.3.1 - 2026-04-17

This release fixes four important security issues:

• CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks
• CVE-2026-XXXXX: Consensus Divergence in Transparent Sighash Hash-Type Handling
• CVE-2026-XXXXX: rk Identity Point Panic in Transaction Verification
• CVE-2026-40881: addr/addrv2 Deserialization Resource Exhaustion

We recommend node operators to update to 4.3.1 as soon as possible. All previous
Zebra versions are vulnerable to these issues.

Added

• Dockerized mining setup (#10301)

Fixed

• Fixed a panic that could be triggered in the RPC interface on HTTP
  errors,
  such as resetting the connection halfway through a request. We do not consider
  this a critical issue since the RPC port is security-sensitive and should not
  be opened publicly, but we plan to update our documentation to make this
  clear.

Changed

• The Dockerfile and docker-compose.yml were changed to expose the P2P port by
  default. This is important for the network since it allows other peers to
  connect to the node. Note that if you deploy Zebra behind a firewall or NAT
  you might require additional configuration
  (#10464).

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@arya2, @conradoplg, @dependabot[bot], @gustavovalverde, @mpguerra, @oxarbitrage and @upbqdn

Zebra 4.3.0

Zebra 4.3.0 - 2026-03-26

This release fixes two important security issues:

• CVE-2026-34202: Remote Denial of Service via Crafted V5 Transactions
• CVE-2026-34377: Consensus Failure via Crafted V5 Authorization Data

We recommend node operators to update to 4.3.0 as soon as possible. All previous
Zebra versions are vulnerable to these issues.

This release adds support for ZIP-235 and extends the documentation on performance profiling. It also fixes issues with block propagation on Regtest, the computation of miner rewards for pre-Canopy blocks in the getblocksubsidy RPC, and a performance regression on Testnet where Zebra would hog a single CPU thread.

Added

• Network Sustainability Mechanism: ZIP-235 (#10357)
• Add profiling Cargo profile and use it in profiling docs (#10411)

Fixed

• Fix block propagation on Regtest (#10403)
• Subtract Founders' Reward from block subsidy (#10338)
• Cache parsed checkpoints (#10409)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@gustavovalverde, @judah-caruso, @nuttycom, @oxarbitrage and @upbqdn.

Zebra 4.2.0

Zebra 4.2.0 - 2026-03-12

This release expands Zebra’s RPC functionality, improves mempool policy,
adds more state querying capabilities, and replaces the legacy OpenAPI
documentation with OpenRPC.

Added

• UnspentOutput request to mempool component service (#10235)
• Founders reward addresses (#10188)
• Support for pre-Canopy block subsidies (#10191)
• AI contribution policy and agent guidance files (#10318)
• rpc.discover endpoint (#10201)
• gettxout RPC method (#10235)
• AnyChainBlock state request for querying blocks in side chains (#10325)
• Remaining non-standard mempool transaction filters (#10314)

Removed

• Python QA RPC test framework (zebra-rpc/qa/) in favour of the new integration-tests project, which captures all previous work in zcash/integration-tests#1 (#10363)
• OpenAPI specification and related functionality (#10298) in favour of OpenRPC

Changed

• Simplify ReadStateService::call() method (#10335)
• Replace NETWORK_UPGRADES_IN_ORDER with strum::EnumIter (#10096)

Fixed

• Preserve input order in spent_outputs for mixed chain/mempool transactions (#10356)
• Clarify TransparentInputNotFound error message (#10302)
• Improve getrawtransaction compatibility with zcashd (#10307)
• Peerset banned cancel handles (#10258)
• Support writing non-finalized state backups to disk before broadcasting updated chainstate (#10361)
• Fix bug in ActiveConnectionCounter and inaccurate connection count metrics (#10311)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@VolodymyrBg, @arya2, @conradoplg, @gustavovalverde, @mpguerra, @oxarbitrage, @syszery, @upbqdn and @zmanian

Zebra 4.1.0

Zebra 4.1.0 - 2026-02-05

This release has no breaking changes for node operators. It expands Zebra's
observability with new Prometheus metrics and Grafana dashboards. It also adds
mempool checks for standard transparent scripts to match zcashd.

Listed below are all user-visible changes.

Changed

• Check that SENTRY_DSN env variable is present before initializing sentry (#10256)

Added

• Add RocksDB I/O latency and sync distance metrics (#10181)
• Add performance histograms for bottleneck identification (#10179)
• Add value pool, RPC, and peer health metrics (#10175)
• Add standardness checks and configurable OP_RETURN policy (#10224)
• Add zaino to the qa rpc framework (#10199)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@Bashmunta, @MozirDmitriy, @gustavovalverde, @mpguerra, @oxarbitrage, @syszery, @upbqdn and @zlyzol

Zebra 4.0.0

This release fixes the type of a field in the getinfo RPC and adds support for
the pingtime and pingwait fields of the getpeerinfo RPC.

It also changes the Grafana dashboards to add auto-provisioning and AlertManager
support.

This release also adds a new mainnet DNS seeder from Shielded Labs to the default
configuration. However, if you already have a config in place, you will need
to add it manually; add "mainnet.seeder.shieldedinfra.net:8233" to
initial_mainnet_peers.

The new OpenTelemetry support must be enabled at compile time with the
opentelemetry feature, e.g. cargo build --features=opentelemetry --release.

Breaking Changes

This release has the following breaking changes:

• Changed the getinfo RPC errorstimestamp field from a string timestamp (ISO
  UTC timestamp) to a i64 (seconds from Unix epoch) to match zcashd
  (#10079). If you rely
  on this field, you will need to change your code to be able to interpret
  the i64 result.
• Always parse Zebra's config file as TOML (#10222). This allows using a config
  file with an extension different than .toml. Previously, it would use the
  format detected from the extension, so in the unlikely case you were using
  a format different than TOML you will need to change your config to TOML.

Added

• Added pingtime and pingwait to getpeerinfo RPC (#9880)
• Added Grafana auto-provisioning and AlertManager (#10171)
• Added OpenTelemetry distributed tracing support (#10174)
• Added new Shielded Labs mainnet seeder (#10228)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@conradoplg, @gustavovalverde and @syszery

Zebra 3.1.0

This release fixes how Docker images are published for ARM64 platforms, increases the maximum size of RPC responses and allows configuring it, and filters out dust transactions in the mempool.

Added

• Implemented filter for dust transactions in the mempool (#10134)

Changed

• Updated Debian from bookworm to trixie in Docker (#10111)
• Configured Zebra to listen on the all-zero IPv6 address in Docker by default (#10095)
• Increased allowed RPC response size (#10118)

Fixed

• Fixed publishing workflow for ARM64 and AMD64 Docker images (#10125)
• Fixed logging of commit IDs (#10135 and [#10115)
• Prevented static IP assignment step from failing on read command (#10123)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@conradoplg, @gustavovalverde, @imcdona, @oxarbitrage and @upbqdn

Zebra 3.0.0

Zebra 3.0.0 - 2025-11-17

This release is a stable version of the release candidate deploying NU6.1 on Mainnet. It fixes some issues that were found after
the release candidate was published but otherwise mostly includes technical improvements and cleanup with relatively few user-visible changes.

Changed

• Gated code behind the tx_v6 feature flag behind the zcash_unstable=nu7 config flag too (#10060)

Added

• Added ZIP 233 (Network Sustainability Mechanism) implementation (#8930)
• Populated asm field returned by Zebra's RPC methods with code in script outputs as well as script types (#10019)
• Added a CHANGELOG file to track changes in the python QA framework (#10076)
• Enabled backtraces and added debug info by default in production builds (#10097)

Fixed

• Updated Dockerfile to accept Cargo features for release builds (#10075)
• Fixed the docker build command (#10007)
• Fixed a bug in z_validateaddress around parsing Testnet transparent addresses on Regtest (#10022)
• Re-enabled Docker provenance and SBOM attestations (#10071)
• Fixed an issue where Zebra would panic in some edge cases around mempool transactions depending on other mempool transactions (#10049)
• Fixed a DDoS vulnerability and panic issue around error handling in proof verifiers (#10099)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@AloeareV, @arya2, @conradoplg, @dorianvp, @gustavovalverde, @mariopil, @oxarbitrage, @syszery, and @upbqdn

Zebra 3.0.0-rc.0

Zebra 3.0.0-rc.0 - 2025-10-15

In this release, we add the Mainnet activation height for Network Upgrade 6.1 (NU6.1), which will activate at block 3,146,400.

This is a release candidate. Its support is set to expire before the activation height. If no issues are found, this candidate will become the final release for NU6.1.

This release also includes significant updates to Zebra's CI and Docker setup, as well as performance optimizations.

Breaking Changes

• Migrate zebrad to a layered configuration using config-rs. Environment variables must use the ZEBRA_SECTION__KEY format (double underscore for nesting), for example: ZEBRA_NETWORK__NETWORK, ZEBRA_RPC__LISTEN_ADDR, ZEBRA_RPC__ENABLE_COOKIE_AUTH, ZEBRA_RPC__COOKIE_DIR ZEBRA_TRACING__FILTER ZEBRA_STATE__CACHE_DIR, ZEBRA_MINING__MINER_ADDRESS. Legacy ZEBRA_* test/path variables and ZEBRA_RUST_LOG are no longer honored. Update any scripts, Docker configs, or systemd units that relied on the old names (#9768).
• Docker entrypoint simplified: it no longer generates a zebrad.toml or translates legacy Docker environment variables. To use a file, set CONFIG_FILE_PATH (the entrypoint forwards it via --config). Otherwise, configure via ZEBRA_* variables. ZEBRA_CONF_PATH has been removed in favor of CONFIG_FILE_PATH. Docker setups that used variables like ZEBRA_RPC_PORT, ZEBRA_COOKIE_DIR, NETWORK, ENABLE_COOKIE_AUTH, or MINER_ADDRESS must switch to the config-rs equivalents shown above (#9768).
• Fully removed the getblocktemplate-rpcs feature flag from zebrad/Cargo.toml. All functionality previously guarded by this flag has already been made the default. As a result, the following build command is no longer supported:

  cargo build --features getblocktemplate-rpcs
  

  (#9964)

Changed

• zebrad now loads configuration from defaults, an optional TOML file, and environment variables, with precedence: Env > TOML > Defaults (#9768).
• Docker and book documentation updated to describe CONFIG_FILE_PATH and ZEBRA_* environment variable usage; removed references to ZEBRA_CONF_PATH and legacy Docker variables (#9768).
• Implemented nextest and optimized Docker test builds (#9435)
• Replaced light wallet .proto files with canonical versions obtained from https://github.com/zcash/lightwallet-protocol (#9783)
• Allow zebra-rpc to be compiled without protoc (#9819)
• Switched Sapling verifier (#9737)
• Refactor Sapling parameters loading (#9678)
• Adopt upstream types for sapling commitments where possible (#9828)
• Updated transaction verifier to use orchard::bundle::BatchValidator (#9308)
• Improved error propagations (#9921, #9919, #9848)
• Broadcast block submissions to all peers in the peer set (#9907)
• Removed outdated seeders (#9932)
• Apply suggestions for code cleanup from NU6.1 audit. (#9952)
• Always return 1.0 from getblockchaininfo as the verification progress on Regtest (#9908)
• Corrected number of addresses for the FPF funding stream extension on Testnet (#9786)
• Simplified a test to use regtest instead of fake activation heights (#9792)
• Re-enable and update disconnects_from_misbehaving_peers test (#9735)
• Improve connection times in regtest framework (#9917)
• Always wait for RPC port to open in cached state tests (#9903)
• Allow configuration of funding streams on Regtest (#9710)
• Implemented draft ZIP 2003 for NU7 and use Testnet network protocol versions on Regtest (#9787)

Added

• NU6.1 activation height, funding streams, lockbox disbursments, and current network protocol version (#9987)
• Backup non-finalized blocks in state cache directory (#9809)
• Complete z_gettreestate (#9798)
• getmempoolinfo RPC method (#9870)
• getnetworkinfo RPC method (#9887)
• Support side chains in getrawtransaction (#9884)
• Support single-string or object params in getaddresstxids (#9854)
• Exposed z_validateaddress logic for library consumers (#9859)
• Missing Orchard fields to getrawtransaction (#9808)
• vjoinsplit field to getrawtransaction (#9805)
• Use specific error code for addnode; reuse message in response filter (#9931)
• Support for the chainInfo field in getaddressutxos RPC method (#9875)
• Allow for cycling through configured funding stream addresses (#9989)
• Introduce BytesInDisplayOrder trait to standardize byte-reversed encoding in RPC (#9810)
• MappedRequest helper trait and refactors error types used by CommitSemanticallyVerifiedBlock requests (#9923)
• Useful standard trait implementations to ease downstream use (#9926)
• Added ZFuture variant to NetworkUpgrade (#9814)
• Allow configuration of checkpoints on test networks (#9888)
• Added HTTP /healthy and /ready endpoints (#9895, #9886)
• New book page on profiling Zebra (#9983)
• Deserialization logic to call extend_funding_streams() when the flag is true for both configured Testnets and Regtest (#9989)

Fixed

• Restore initial sync performance by avoiding RocksDB merge operations when the on-disk database format is up-to-date (#9973)
• Use STANDARD Base64 for RPC auth encoding/decoding (#9968)
• Expects the block commitment bytes of Heartwood activation blocks to be the hashBlockCommitments after NU5 activation (#9982)
• Fixed UTXO selection loop to iterate over entries instead of repeating first (#9826)
• Improve extra argument passing to zebra in qa framework(#9858)
• Avoid heap allocations in expand_zero_be_bytes() (#9951)
• Fixed sanitize_avoids_leaks test to validate sanitized MetaAddr (#9867)
• Corrected at_least_one! count-form and add unit test (#9871)

Contributors

Thank you to everyone who contributed to this release, we couldn't make Zebra without you:
@Fibonacci747, @Galoretka, @GarmashAlex, @JacksonEi, @MozirDmitriy, @Olexandr88, @arya2, @conradoplg, @gap-editor, @gustavovalverde, @natalieesk, @nuttycom, @oxarbitrage, @radik878, @sashass1315, @str4d, @syszery, @upbqdn and @zancas