chore: add changelog for 10.16.3

DeepDiver1975 · claude · DeepDiver1975 · commit 1c98f2ef1e68 · 2026-05-22T09:32:44.000+02:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Signed-off-by: Thomas Müller &lt;1005065+DeepDiver1975@users.noreply.github.com&gt;
diff --git a/changelog/10.16.3_2026-05-22/41538 b/changelog/10.16.3_2026-05-22/41538
@@ -0,0 +1,8 @@
+Bugfix: Prevent mounting local storage if not allowed.
+
+Mounting a local storage was possible if the internal class name was used as
+backend, despite local storage not allowed to be mounted. This problem is
+fixed and the local storage can't be mounted if it was explicitly disallowed in
+the configuration.
+
+https://github.com/owncloud/core/pull/41538
diff --git a/changelog/10.16.3_2026-05-22/41539 b/changelog/10.16.3_2026-05-22/41539
@@ -0,0 +1,5 @@
+Fix: Use the correct user ID when changing email via admin API
+
+The admin API endpoint for changing a user's email address was incorrectly using the requesting admin's user ID instead of the target user's ID, causing the admin's email to be updated rather than the intended user's.
+
+https://github.com/owncloud/core/pull/41539
diff --git a/changelog/10.16.3_2026-05-22/41550 b/changelog/10.16.3_2026-05-22/41550
@@ -0,0 +1,9 @@
+Security: Restrict AppConfigController read methods to full admins only
+
+Subadmin users could read all oc_appconfig values including SMTP passwords,
+LDAP bind credentials, and encryption master keys via the Settings API.
+Removed @NoAdminRequired from getApps, getKeys, and getValue so that the
+AdminMiddleware enforces full-admin-only access, consistent with the write
+methods.
+
+https://github.com/owncloud/core/pull/41550
diff --git a/changelog/10.16.3_2026-05-22/41558 b/changelog/10.16.3_2026-05-22/41558
@@ -0,0 +1,5 @@
+Fix: Prevent IDOR in WebDAV comments API
+
+Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.
+
+https://github.com/owncloud/core/pull/41558
diff --git a/changelog/10.16.3_2026-05-22/phpseclib-security-2026-05 b/changelog/10.16.3_2026-05-22/phpseclib-security-2026-05
@@ -0,0 +1,6 @@
+Security: Update phpseclib to 3.0.52 for CVE-2026-40194
+
+CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing.
+Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
+
+https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
diff --git a/changelog/10.16.3_2026-05-22/symfony-security-2026-05 b/changelog/10.16.3_2026-05-22/symfony-security-2026-05
@@ -0,0 +1,7 @@
+Fix: Update symfony/routing to 5.4.52 for CVE-2026-45065
+
+CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex
+alternation allowing off-site URL injection. Upgraded symfony/routing from
+5.4.48 to 5.4.52.
+
+https://symfony.com/cve-2026-45065
