We published a blog post summarizing some of the most relevant changes for end users. It will be updated soon to include the features that have been added since the post has been initially published.
Linux versions & Python 3.12
This release moves from Python 3.9 to Python 3.12.
It also drops support for legacy (and nearly end-of-life) operating systems, in particular CentOS 7.
Because of this, make sure to read the 3.x to 3.3 upgrade guide if you plan to upgrade an existing instance.
If you need any help with the upgrade after reading the docs, donāt hesitate to open a new forum thread.
Major Features
A new āDocument Templatesā module was added which supports the generation of fully customizable PDF documents for event participants such as receipts and certificates of attendance.
The Room Booking module now supports recurring bookings that repeat on specific weekdays. For example, a room can be booked every Monday and Wednesday over a set period of time.
Badge and ticket templates can now be linked to a registration form. This makes it possible to reference custom registration fields when creating the template.
The existing Indico Check-in app has been completely rewritten as a PWA (Progressive Web App). Please note that the old Check-in app has been deprecated and is not compatible with the new version of Indico. The new app can be found here.
A new badge/ticket setting has been added which, when enabled, makes it possible to print badges and/or tickets for accompanying persons in addition to the main registrant.
Users can now export all their data stored in Indico. This includes personal data and any data they are linked to such as registrations, minutes and files uploaded to Indico.
Users can now be anonymized in Indico; this means that all personal identifiers associated with a user will be removed from Indico, whilst only keeping the data that is required for Indico to function properly, in an anonymized manner. This operation can only be performed by Indico system administrators through the indico command-line interface.
Administrators now have the option to require users to accept the Terms of Use during signup and after the terms have been updated.
Event managers can require participants to accept the eventās Privacy Policy when registering.
Event tickets can now be added to Google Wallet using the new experimental Google Wallet integration. You can enable this feature using the ENABLE_GOOGLE_WALLET config setting and then configure it on the category level.
The category calendar view has been improved with new week/day views and new filtering options for category, venue, room or keywords.
Managers can now change the registration fee for selected registrations in bulk.
Lots of new accessibility improvements, including improved keyboard navigation, better color contrast, and better screen reader support.
Internationalization
New locale: English (Canada) (#6063, thanks @OmeGak)
Improvements
Invalidate password reset links once the password has been changed (#5878)
Add full ACLs for custom conference menu items, instead of just being able to restrict them to speakers or registrants (#5670, thanks @kewisch)
Make editing timeline display much more straightforward (#5674)
Allow event managers to delete editables from contributions (#5778, #5892)
Allow room managers to add internal notes to bookings (#5746, #5791)
Support generating tickets and badges for each of the registrantās accompanying persons (#5424)
Improve login page UI, allow overriding the logo URL (LOGIN_LOGO_URL config option) and using custom logos for auth providers (logo_url in the auth provider settings) (#5936, thanks @openprojects)
Show only active registration counts on the registration form management dashboard, and add an inactive registration count to the registration list (#5990)
Store creation date of users and show it to admins (#5957, thanks @vasantvohra)
Add option to hide links to Room Booking system for users who lack access (#5981, thanks @SegiNyn)
Support weekly room bookings that take place on multiple weekdays (#5829, #6000, #5806)
Hide events marked as invisible from builtin search results unless the user is a manager (#5947, thanks @openprojects)
Support sessions that expire at a certain date (specified by the used flask-multipass provider) regardless of activity when using an external login method (#5907, thanks @cbartz)
Add a picture field for registration forms which can use the local webcam to take a picture in addition to uploading one, and also supports cropping/rotating the picture (#5922, thanks @SegiNyn)
Use a more compact registration ticket QR code format which is faster to scan and less likely to fail in poor lighting conditions (#6123)
Add a āPictureā personal data field to registrations. When used, it allows including the picture provided by the user on badges/tickets (#6160, thanks @vtran99)
Support ~~text~~ to strike-out text in markdown (#6166)
Use the event timezone when scheduling call for abstracts/papers (#6139)
Allow setting registration fees larger than 999999.99 (#6172)
Populate fields such as first and last name from the multipass login provider (e.g. LDAP) during sign-up regardless of synchronization settings (#6182)
Hide redundant affiliations tooltip on the Participant Roles list (#6201)
Correctly highlight required āyes/noā registration form field as invalid (#6109, #6242)
Include comments in the Paper Peer Reviewing JSON export (#6253)
Fail with a nicer error message when trying to upload a non-UTF8 CSV file (#6085, #6259)
Do not include unnecessary user data in JSON exports (#6260)
Accessibility
Include current language in page metadata (#5894, thanks @foxbunny)
Allow filtering the contribution list in the management area by custom fields (#6213, #6214)
Show āGo to timelineā button on the contribution page to everyone who can see the timeline of one of its editables instead of just submitters (#6344)
Add a new āTimetable Sessionsā registration form field type which allows selecting session blocks from the event (#6184, thanks @jbtwist)
Link the event title to the event in registration emails (#6358)
Add the option to make registration forms private so they can only be accessed using a secret link (#6321, thanks @vtran99)
Add experimental support for creating Apple Wallet (Passbook / pkpass) tickets (opt-in via ENABLE_APPLE_WALLETindico.conf setting) (#6248, thanks @openprojects)
Add a new event management permission that grants access only to the contributions module (#6348)
Add bulk JSON export option in management contribution list (#6370)
Make the default roles of the contribution person link list field more similar to the abstract person link list field when there is a linked abstract (#6342)
Add option to hide person titles throughout the event (#38, #6104, thanks @vasantvohra)
Preserve input when switching between judgment actions for an editable (#6375)
Allow generating documents from the registration summary page (#6212, #6306, thanks @hitenvidhani)
Modernize the event social share widget and add support for sharing to Mastodon (#6289)
Enable the calendaring + social sharing widget in events by default (#6398)
Ignore diacritics when searching in the registration form country field (#6403, thanks @tomako)
Add preview option for managers to see the participant list as shown to registered participants or unregistered guests (#6052, thanks @vtran99)
Bugfixes
Fix the dashboard iCal export returning old events instead of recent ones when the maximum number of events to include is reached (#6312)
Fix an error in the Check-in app API wben retrieving details for a registration form that includes static labels (#6326)
Fix action buttons being pushed outside the content area in the survey editor in case of very long survey option titles (#6325)
Only allow accessing avatars for published registrations (#6347)
Fix error when trying to import data from an unlisted event (#6350, #6351)
Show results from the Get Next Editable search on top of the list (#6353)
Attach registration pictures and display them inline when sending email notifications instead of just showing their filename (#6336, #6411, thanks @SegiNyn)
Fix editable list filter storage being shared between different editable types and events (#6359)
Fix UI breaking when performing bulk actions via the list of editables (#6369)
Include registration documents in user data export (#6331, #6338)
Fix error when viewing an abstract with reviews in deleted tracks (#6393)
Do not include custom messages about the current registration status when sending notifications about new documents (#6413)
Only normalize title slug in custom page URL after successful access check (#6416, #6417)
Accessibility
Improve registration form date picker accessibility (#6371, thanks @foxbunny)
Internal Changes
Use unguessable URLs for user avatar pictures (#6346, thanks @vtran99)
We have released v3.3.4 which contains a medium-severity security fix, bugfixes, improvements and a new translation.
Security fixes
Fix an XSS vulnerability during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, so it can only target newly created (and thus unprivileged) Indico users. We consider this vulnerability to be of āmediumā severity since the ability to abuse this is somewhat limited, but you should update as soon as possible nonetheless (GHSA-rrqf-w74j-24ff)
Internationalization
New translation: Swedish
Improvements
Allow cropping an existing picture in registration form picture fields (#6423, thanks @SegiNyn)
Add task to delete old registration files when they become orphaned due to a new file being uploaded (#6434, thanks @SegiNyn)
Allow searching for author names in editable lists (#6451)
Add ability to filter editable lists by the parent session of the editableās contribution (#6453)
A roomās bookable hours can now be applied to specific weekdays, making it unbookable on any other weekdays (#6439)
Add global settings for min/max registration form data retention periods (#6445, thanks @SegiNyn)
Always open links in registration form field/section descriptions in a new tab (#6512)
Preserve entered text when switching between commenting and judging in the editing module (#6503, #6502)
Add quick setup button to configure default notifications in Call for Abstracts (#6454, thanks @jbtwist)
Bugfixes
Fix display of empty session selection in registration summary (#6421, thanks @jbtwist)
Include date when displaying session field data in registration summary (#6431, thanks @jbtwist)
Fix the order of a dayās session blocks in the registration form session field (#6428, thanks @jbtwist)
Wrap overly long descriptions and filenames in registration form fields (#6436, thanks @SegiNyn)
Fix validation error when clearing a date field in the registration form (#6470)
Fix access error when a manager registers a user in a private registration form (#6486)
Fix access error when a manager uploads files in a private registration form (#6487, thanks @vtran99)
Improve color handling in badge designer (auto-add # for hex colors) (#6492)
Do not count deleted rooms for equipment/attribute usage numbers (#6493, #6494)
Allow deleting event persons which are linked to a deleted subcontribution (#6495)
Fix validation error in registration form date fields when using Safari (#6474, #6501, thanks @foxbunny)
Fix date picker month/year navigation not working in Safari (#6505, thanks @foxbunny)
Enforce a minimum size on the registration form picture cropper to avoid sending an empty image after repeated cropping (#6498, thanks @jbtwist)
Fix future events being always displayed after current events in categories while not logged in (#6509)
Accessibility
Improve registration form single choice input accessibility (#6310, thanks @foxbunny)
Internal Changes
Indicate when a booking begins/ends in the booking calendar in day-based mode (when using a plugin to customize the room booking module) (#6414)
Update the list of supported browsers so people using highly outdated browsers where certain features are likely broken get a warning about having to update their browser (#6442)
Add <ind-combo-box> custom element (#6310, thanks @foxbunny)
Add <ind-select> custom element (#6310, thanks @foxbunny)
Indico and plugin wheels are now built using hatchling instead of setuptools, and package metadata is specified using pyproject.toml. Developers who want to build their own plugins need to switch from setup.py and/or setup.cfg to pyproject.toml as well (#6477)
Prevent timetable entries with zero/negative durations (#6420)
Warn when required indico.conf settings are missing or empty (#6504, thanks @OmeGak)
We have released v3.3.5 which contains a low-severity security fix, bugfixes, improvements and a new translation.
We also released an updated indico-plugins bundle (v3.3.2) which contains mainly updated translations, adaptations related to the new Indico release and some other small improvements.
Security fixes
Fix an open redirect during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, after which the user would be redirected to an external page instead of staying on Indico (thanks @GauthierGitHub)
Internationalization
New translation: Japanese
Improvements
Allow specifying āprevā and ānextā as the date param on the category overview page to show the previous or next period relative to the current date (#6537)
Add caching and rate-limiting (configurable via LATEX_RATE_LIMIT, and only applied to unauthenticated users) for endpoints that trigger LaTeX PDF generation (#6526)
Log changes to registration form settings in the event log (#6544, thanks @vtran99)
Improve conference participant list, especially when participants from multiple registration forms are shown separately (#6440, #6489)
Include information about attached files in JSON export of abstracts (#6556)
Take session program codes into account when sorting parallel sessions with the same start time in meeting timetable (#6575)
Enforce browser-side caching of event logos and custom stylesheets (#6555, #6559)
Default to banner-style (full width) logos in newly created conference events (#6572, thanks @OmeGak)
Add email placeholder for the picture associated with a registration (#6580, thanks @vtran99)
Allow setting placeholders for text fields in receipt templates (#6587)
Add a new receipt template for Certificates of Attendance (#6587)
Show correct repetition details for bookings repeating every n weeks (#6592)
Show context (event/contribution title etc.) in the title of the minutes editor (#6584, #6591)
Streamline āget next editableā UI and only show editables that still unassigned (#6583)
Stop spoofing email sender addresses when using the SMTP_ALLOWED_SENDERS and SMTP_SENDER_FALLBACK config settings. Instead, the From address will be rewritten to the fallback whenever the requested address is not an allowed sender (#6231, thanks @SegiNyn)
Make picture field more resilient when uploading and resizing pictures close to the max upload file size (#6530, thanks @SegiNyn)
Fix the order of the event classifications in edit mode (#6531, #6534)
Fix an issue where scheduling a contribution on a day with an empty timetable would schedule it on the first day of the event instead (#6540, #6541)
Fix error in unmerged participant list when the picture field is enabled and participant list columns have not been customized for that registration form (#6535)
Fix breakage of the registration form dropdown field (and anything else using a custom element that uses ElementInternals) in older versions of Safari (#6549, thanks @foxbunny)
Fix linebreak display in markdown code blocks in survey section descriptions (#6553)
Include attached pictures when downloading registration attachments (#6564)
Only allow marking unpaid registrations as paid (#6330, #6578)
Do not allow mixing notification rules for invited abstracts with other rules (#6563, #6567)
Use locale-aware price formatting in registration form fields (#6586)
Handle badge designer items exceeding the canvas boundaries more gracefully (#6603, thanks @SegiNyn)
Accessibility
Improve country input accessibility (#6551, thanks @foxbunny)
Reimplement Checkbox to make it programmatically focusable (#6528, thanks @foxbunny)
Implement a RadioButton component to replace the SUI radio button in order to improve keyboard support (#6621, thanks @foxbunny)
Improve keyboard accessibility of the timetable sessions field in registration form (#6639, thanks @foxbunny)
Internal Changes
Make positioning logic from TipBase generic and reusable (#6577, #6588, thanks @foxbunny)
Add additional signals related to videoconferences and their event links (#6475)
Videoconference plugins now need to implement a delete_room method (#6475)
Support translator comments when extracting translatable strings (#6620)
renderAsFieldset option in the registration field registry can now be a function that returns a boolean (#6621, thanks @foxbunny)
Allow overriding global theme settings for custom meeting themes (#6622)
We have released v3.3.6 which contains a low/medium-severity security fix, bugfixes, improvements and a new translation.
We also released an updated indico-plugins bundle (v3.3.3) which contains mainly updated translations, adaptations related to the new Indico release and some other small improvements.
Security fixes
Update the Jinja2 library due to a sandbox escape vulnerability (2025-27516).
Note: Since document templates can only be managed by Indico admins (unless granted to specific other trusted users as well), the impact of this vulnerability is considered low to medium, as it would require a malicious admin to abuse this e.g. to to read indico.conf data, which is otherwise only accessible to people with direct server access.
Improvements
Add a new āAccepted by Submitterā state for editables when a submitter approved the changes proposed by the editor (#6185, #6186)
Highlight editables in the editable list that have been updated since the last time they were viewed (#6500)
Refresh the looks of the PDF timetable (#6554, #6558)
Redact session cookie value in error emails (#6666)
Allow creating a new local account during password reset if the user does not have one yet (#6688)
Set session cookies with SameSite=Lax so they are not sent when Indico is embedded in a third-party iframe (#6690)
Make the event export/import util much more flexible to support exporting whole category subtrees, add better support for dealing with files, and add various things that were not correctly exported before (#6446)
Add a setting to limit the information room booking users can see for bookings not linked to them or their rooms (#6704)
Add shortcuts to the past and closest events in a category (#6710)
Add a new setting (ALLOW_ADMIN_USER_DELETION) to let administrators permanently delete Indico users from the user management UI (#6652, thanks @SegiNyn)
Support ==text== to highlight text in markdown (#6731, #6732, #6767)
Add an event setting to allow enforcing search before entering a person manually to a persons list in abstracts and contributions (#6689)
Allow users to login using their email address (#6522, thanks @SegiNyn)
Do not āinlineā the full participant list in conference events using a meeting-style timetable and link to the conference participant list instead (#6753)
Add new setting LOCAL_USERNAMES to disable usernames for logging in and only use the email address (#6751, #6810)
Tell search engines to not index events marked as āinvisibleā (#6762, thanks @openprojects)
Make the minimum length of local account passwords configurable, and default to 15 instead of 8 for new installations (#6629, #6740, thanks @amCap1712)
Include submitter email in abstract PDF export (#3631, #6748, thanks @amCap1712)
Remove anonymized users from local groups (#6738, thanks @SegiNyn)
Add ACLs for room booking locations which can grant privileges on the location itself and/or all its rooms (#6566, thanks @SegiNyn)
Support alternative names in predefined affiliations and make its search more powerful (#6758)
Add setting to disallow entering custom affiliations when predefined affiliations are used (#6809)
We have released v3.3.7 which contains a medium-severity security fix, bugfixes and many improvements, including a pretty significant one (conditional registration form fields).
We also released an updated indico-plugins bundle (v3.3.5) which contains adaptations related to the new Indico release and some other small improvements.
Security fixes
Prevent dumping basic user details (name, affiliation and email) in bulk using the user id (CVE-2025-53640)
Note: With Indico being a tool that is primarily used for academic events, where it is expected behavior that you can look users up by name and email and use the email address as a common way of identifying someone (as names are not unique, often not even combined with someoneās affiliation), we only classify this as āmediumā severity. Looking up some users is normal, but obviously being able to look up all of them at once, is not something thatās intended.
In case you want to lock down user search much more strongly, please have a look at the ALLOW_PUBLIC_USER_SEARCH setting which has been added in this release as well.
Searching existing Indico users can be restricted to managers by setting ALLOW_PUBLIC_USER_SEARCH to False. This also limits the verbosity of email status checks while registering for events and disallows registering on behalf of another Indico user (#6960)
Allow linking existing booking to an event even if thereās no exact date/time overlap, and do not show a large number of unrelated bookings (#6568, #6811, #6846, thanks @Moliholy, @unconventionaldotdev)
Add a log for global admin actions, similar to that in events, categories and users (#6868, thanks @tomako)
Bugfixes
Fix inconsistent page numbering in PDF timetable (#6824, #6827)
Do not log logins rejected by a plugin as errors (#6834, thanks @OmeGak)
Do not trigger notifications for withdrawn service requests when deleting past events (#6700, #6754, thanks @bhngupta)
Fix date picker on category calendar view (#6849, #6850)
Fix scheduling existing contributions not working in rare cirucmstances (#6853)
Convert author/speaker email addresses to lowercase during input and use the lowercase version for deduplication (#6855)
Fix error when removing the title of an event person (#6859)
Fix participant visibility being set to ānobodyā when a registration was modifified (#6863)
Fix error when editing a room while no custom attributes have been defined (#6840)
Allow the browser to perform spellchecking in the HTML/WYSIWYG minutes editor (#6890)
We have released v3.3.8 which contains two medium-severity security fixes, bugfixes and many improvements.
Security fixes
Fix a legacy API giving access to profile details of other users due to a broken authorization check (CVE-2025-59034, thanks @inkz)
Fix an XSS vulnerability in the LaTeX math rendering code applied to contribution descriptions (CVE-2025-59035)
Improvements
Add a CAPTCHA and rate limiting to the material package endpoint, and an event setting to restrict who can generate one (defaults to managers only) (#6996)
Add support for custom event reminders with freely chosen subject and body, and allow rich-text for the custom message in standard reminders (#6989, thanks @tomako, @unconventionaldotdev)
Allow specifying a maximum session lifetime via SESSION_MAX_LIFETIME beyond which it cannot be refreshed by activity (#7030)
Make displaying corresponding author email addresses in the Book of Abstracts opt-in (#7002, thanks @adamjenkins)
Add plugin support for scanning custom QR codes in the Check-in app (#6954, thanks @SegiNyn)
Add new tags column to the Editable list (#6614, #6615)
Bugfixes
Fix missing spacing between toolbar button groups (#6981)
Fix error with certain registration form field types if the badge text overflow behavior was set to āresizeā (#6993)
Fix not being able to update a registration if an accommocation field was added after registering and the user already paid for the registration (#7000)
Fix registration form field type selector not being fully visible on smaller screen widths (#7012, #7013)
Fix user search not working for admins in room booking module with no rooms defined (#7016, #7017, thanks @behackl)
Fix author contribution list not showing any other contributions (#7025, #7049, thanks @diksharai9)
Fix some LaTeX strings being rendered incorrectly and/or breaking the timetable PDF generation (#7068)
Accessibility
Use proper heading hierarchy (H3 instead of H4) for date headings on category event list pages (#7038, thanks @foxbunny)
Add accessible labels to extra slots dropdown fields in registration forms (#7039, thanks @foxbunny)
Use proper semantic heading elements for registration form section titles (#7040, thanks @foxbunny)
Improve screen reader + keyboard support in the registration form picture field (#7064, #7065, thanks @foxbunny)
Internal Changes
Remove broken support for custom multipass providers setting a maximum session lifetime; use SESSION_MAX_LIFETIME instead (#7030)
Use Biome to format JS/JSX, TS/TSX, JSON and CSS (#7042)
Add the env var INDICO_TEST_USE_DOCKER, which allows for tests to be run on a PostgreSQL server running in a container
Blog Post
Linux versions & Python 3.12 
Major Features
Internationalization
Improvements
Bugfixes
Accessibility
Internal Changes
Bugfixes
Improvements
Internal Changes
Internationalization
Accessibility
Security fixes