From ce267cd69df585225d9945543ca1232f4691a0e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 3 May 2026 19:43:12 +0200
Subject: [PATCH] Only show version string in health endpoint, when user has
 permissions

---
 src/Controller/UpdateManagerController.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Controller/UpdateManagerController.php b/src/Controller/UpdateManagerController.php
index 51715e4d..d74f94c0 100644
--- a/src/Controller/UpdateManagerController.php
+++ b/src/Controller/UpdateManagerController.php
@@ -588,9 +588,16 @@ class UpdateManagerController extends AbstractController
     #[Route('/health', name: 'admin_update_manager_health', methods: ['GET'])]
     public function healthCheck(): JsonResponse
     {
-        return $this->json([
+        //Only show version if user is logged in and has permission
+
+        $response = [
             'status' => 'ok',
-            'version' => $this->versionManager->getVersion()->toString(),
-        ]);
+        ];
+
+        if ($this->isGranted('@system.show_updates')) {
+            $response['version'] = $this->versionManager->getVersion()->toString();
+        }
+
+        return $this->json($response);
     }
 }