🎉 Save 25% on your first month with code: DOOM25
Project Zomboid Build 42.18.0 Unstable Patch Notes (May 2026)

Project Zomboid Build 42.18.0 Unstable Patch Notes (May 2026)

Build 42.18.0 Unstable patches a RakNet DoS vulnerability, two item-duplication exploits, and rewrites non-PVP vehicle interactions. Full server-owner breakdown.

Magnus·
8 min read
·
May 15, 2026

The Indie Stone shipped Project Zomboid Build 42.18.0 to the Unstable branch on May 11, 2026, and from a server operator's perspective this is one of the most consequential patches of the b42 cycle so far. A RakNet DoS vulnerability was patched, two confirmed item-duplication exploits were closed, the non-PVP vehicle interaction model was rewritten from scratch, and a quietly important whitelist auth bug that let players log in to other people's characters with only a username was removed.

If you run a multiplayer PZ server, read the security section before anything else.

Project Zomboid Build 42.18.0 Unstable banner from The Indie Stone

How to get on Build 42.18.0 Unstable

The 42.18.0 build is on the Unstable beta branch, not Stable. To opt in:

  1. Right-click Project Zomboid in your Steam library.
  2. Select Properties.
  3. Under Game Version & Betas, choose Unstable.

Your server build has to match your client. If you stage a community server on Unstable, every connecting player has to be on the same branch. For most live communities the safer call is to wait one to two weeks for 42.18.x to roll to Stable. The security fixes are reason enough to schedule that update window now though, instead of letting the patch sit.

Security: RakNet DoS, dupe exploits, and a whitelist auth flaw

This is the bit that matters for anyone with a public-IP PZ server.

RakNet DoS vulnerability patched

Build 42.18 fixes a RakNet DoS vulnerability disclosed to the team by a community member credited as Cat. RakNet is the network library PZ uses under the hood, so this is a pre-auth surface: an attacker did not need to be on the whitelist to crash a server using it. There is no public PoC and the Indie Stone notes only confirm the fix, not the exact vector, which is the responsible disclosure pattern we want.

Action item: if your server is exposed on the open internet (not behind a Discord-only IP share), schedule the 42.18 update sooner rather than later. The fix only lands on Unstable today, but it will roll to Stable in the same patch family.

Two duplication exploits closed

42.18 closes two confirmed dupes that have been quietly circulating:

  • Backpack duplication that copied the bag and all of its contents.
  • Forging duplication that produced an extra item per craft.

Both required no mods and worked on any vanilla MP server. If you have noticed players showing up with suspicious amounts of high-tier gear or ingots in the last few weeks, this is probably how. There is no rollback tool, but pinning a post about the closure on Discord and rolling a fresh wipe-light loot pass is the cleanest reset.

Unauthorised item spawning by clients

Closely related: 42.18 fixes "an issue that allowed unauthorised item spawning by clients." Same flavour of bug as the dupes, different vector. Worth knowing if you have ever seen a suspicious admin command audit line that did not come from a real admin.

Whitelist auth: AutoCreateUserInWhiteList removed

The hidden security headline is this line in the changelog:

Removed AutoCreateUserInWhiteList setting. This fixes an issue where in some instances another user could log in to a character by only knowing the username.

If you had AutoCreateUserInWhiteList=true on your server (it was the default behaviour on a lot of community configs), a player could connect with someone else's username and the server would happily create a whitelist entry for them. That is character-takeover territory. The setting is gone in 42.18, and the auth flow now requires a proper whitelist entry first.

If you maintained a whitelist export from a Discord bot or website signup, double-check it still imports cleanly after the update.

Project Zomboid Build 42 multiplayer survivors holding the line

Non-PVP vehicle interactions: full rewrite

42.18 reworks how vehicles interact with non-PVP players. The old behaviour, where a passing car could stagger or kill a friendly player, has been a long-running complaint on community servers and the source of a lot of moderation tickets. After 42.18:

  • Non-PVP players no longer take damage when struck by a vehicle.
  • PVP players still take damage if PlayerDamageFromVehicleImpact is not set to None.
  • PVP players can be knocked down by a vehicle when KnockedDownAllowed=true.
  • Non-PVP players are no longer staggered or knocked down by vehicle impacts.
  • Non-PVP players no longer damage vehicles on contact.
  • Persistent pedestrian contacts stop applying max damage to cars.

This is a one-way improvement for PvE servers. For PvP servers, nothing changes by default; the existing damage knobs still work the way they used to.

Renamed server settings (check your config)

Two settings changed names. If you templated your servertest.ini from a community guide, update accordingly:

  • DisableSafehouseWhenPlayerConnected is now DisableSafehouseWhenOwnerConnected. The new name actually matches what the setting does (block safehouse breach while the owner is online, not any player).
  • "Wars" setting is now disabled by default. If you run a PvP server and were relying on the default, you have to explicitly enable it.

If your config still has the old DisableSafehouseWhenPlayerConnected key, the server will likely just ignore it on next boot. Double-check after the update.

Other MP fixes worth pinning

A small selection from the multiplayer fix list that will be felt on community servers:

  • Server hangs on world save creation fixed.
  • Anti-cheat false positive triggering fixed.
  • Vehicle-related desyncs: clipping through one another, choppy trailers for remote players, taking too much damage on collision.
  • Mannequin clothing disappearing visually after relog fixed.
  • Dyed clothing only changing colour when dropped fixed.
  • Calorie burn rate applying incorrectly when sitting in a vehicle fixed (this one quietly broke the food economy on long-running servers).
  • Body Damage & Muscle Strain from overencumbrance no longer accumulates 4x faster on MP.
  • "distant vehicle" audio is back, so players can hear cars approaching from a distance again.
  • Map visited area now resets after relog, and VisitedMap saves got optimisation work.
  • Redundant Fire and Smoke anti-cheats removed, redundant XP / XPPlayer anti-cheats and the unused AddXP packet removed. Less false-positive surface area.

Hosts running heavy mod stacks should retest after the update; the anti-cheat changes plus the modding API tweaks below sometimes shake out previously-silent mod incompatibilities.

New content and balance

It is mostly an MP and fixes patch, but a few things changed for players too:

New

  • New weapon reload animations for lever action rifles and shotguns.
  • Accessibility option: auto-pause the game when reading maps (note: known to freeze the map screen on controllers, disable if you use a gamepad).
  • New keybind for Sit on Ground.
  • New garbage bin assets for Spiffos and PizzaWhirled, updated propane tank assets.

Balance

  • Park Ranger now has +1 Carving instead of +1 Tracking.
  • Rancher now has +1 Fitness instead of +1 Agriculture.
  • Improvised Gas Mask rebalanced: clean rags can be used as Rag Filters, weaker than commercial respirators but stronger than a bandana, and used filters at <= 30% Delta return as dirty rags.
  • Fluid container capacities adjusted: Jerry Can 10L to 20L, military canteens 500ml to 900ml, Cowboy canteen 1L to 1.8L, hydration backpacks 1L to 2L (or 3L for camo).
  • Empty beer bottle capacity slashed from 1L to 300ml, which is closer to a real bottle.

Project Zomboid Build 42 vehicles and survivor in Kentucky

Modding API: faction sync events and zombie speed methods

For server owners running mod stacks, the relevant additions:

  • Non-base Module recipes now work in MP (this was a recurring complaint).
  • New SyncFactionServer(factionName, isRemove) event that fires on any faction change.
  • New public methods on zombies: doCrawlerSpeed(zombieSpeed), doSprinter(), doFastShambler(), doFakeShambler(), doShambler(), getSpeedType(). Difficulty and horde mods that swap zombie speeds at runtime can now do it cleanly through the public API.
  • getModTags() and setTags() added to CraftRecipe, getItems() added to InputScript.
  • Mod Foraging Icon bug fixed: mod items can now be foraged, which silently broke a number of seasonal mods.
  • Texture field added to Trait Script (custom Trait icons no longer need a hack).

If you ship a faction mod or a difficulty mod, plan a quick smoke test on Unstable before pushing 42.18 to your community.

Should you switch your live server to Unstable now?

Honest answer for a community-server host:

  • Public-facing server with a security-sensitive audience: schedule a maintenance window in the next 7 days. The RakNet fix and the whitelist auth fix are reasons enough on their own.
  • Private friend group server: wait for 42.18 to hit Stable. The bugs that are still in Unstable will be in a 42.18.x hotfix soon.
  • You actively want to test mods against 42.18 before Stable drops: switch a dev server, not your live community.

Either way, back up your save before updating. A pre-patch snapshot is cheap; restoring a corrupted world from a Steam recycled backup is not.

Host your Project Zomboid server with DoomHosting

If you are spinning up a fresh server to test 42.18, or thinking about moving off a laggy box before the next hotfix wave, DoomHosting's Project Zomboid servers run on Ryzen 9 hardware with instant setup, full FTP access for editing servertest.ini and Sandboxvars.lua directly, Steam Workshop one-click mod installs, DDoS protection, and 24/7 support. Pricing scales by RAM, so you can size for your actual player count instead of paying for slots you do not use.

Stay safe out there, Kentucky.

🚀

Ready to get started?

Experience premium game server hosting with DoomHosting. Instant setup, 24/7 support, and 99.99% uptime guarantee.

Get StartedTools

Related Posts

V Rising 1.1.1 Patch Notes + Free Weekend (May 14-18, 2026)
NewsMay 14, 2026

V Rising 1.1.1 Patch Notes + Free Weekend (May 14-18, 2026)

V Rising goes free on Steam May 14-18, 2026 and Patch 1.1.1 is live on Public Test now. Full balance notes, sale details, and what server owners should expect.

Vintage Story 1.22.2 Patch Notes: Server Crash Hotfix (May 3, 2026)
NewsMay 13, 2026

Vintage Story 1.22.2 Patch Notes: Server Crash Hotfix (May 3, 2026)

Vintage Story 1.22.2 (May 3, 2026) fixes a rare crash loop on large servers, the 4D grinding wheel bug, and nerfs mortar output. Here's what to update.

7 Days to Die V3.0 Sandbox Siege: 100+ Server Settings Teased (May 2026)
NewsMay 12, 2026

7 Days to Die V3.0 Sandbox Siege: 100+ Server Settings Teased (May 2026)

The Fun Pimps teased V3.0 Sandbox Siege: 100+ configurable server settings, no-trader runs, headshots-only mode, zombie speed sliders. Update plan inside.

Valheim Public Test 0.221.13: New Chunked World Save System (May 6, 2026)
NewsMay 11, 2026

Valheim Public Test 0.221.13: New Chunked World Save System (May 6, 2026)

Valheim 0.221.13 lands on Public Test with a brand-new chunked world save system: faster saves, smaller writes, and far less risk of corruption.