42Crunch Platform release, February 10, 2026

Platform version: v1.53.x

This 42Crunch API Security Platform brings support for the OpenAPI Specification (OAS) v3.1 to API Protection and allows deleting multiple APIs at one go. In addition, we have introduced API Contract Generator into our IDE extensions.

New features

The following are the new features and improvements to the existing ones in this release.

Support for the OAS v3.1 in API Protection

We have extended the support for the OAS v3.1 also to API Protection and API Firewall. This means that in addition to running API Security Audit and API Scan on an API that follows the OAS v3.1, you can now also generate a protection configuration for it and protect it with an API Firewall instance.

This brings the support of the OAS v3.1 to all features of 42Crunch Platform. We will continue to enhance the support in future releases.

For more details about protecting your APIs, see API Protection.

Bulk deletion of APIs

You can now delete multiple APIs in an API collection at one go. Simply tick the boxes of the APIs you want to delete and then click the Delete button above the list.

Bulk deletion is also available in Find API.

If some of the APIs you included cannot be deleted, for example, because they have an active API Firewall instance running or you do not have the permission to do so, you will be notified about those APIs and can still proceed to delete the rest of the selected APIs.

Currently, only deleting APIs is supported as a batch operation. We will continue to improve and extend batch operations to other entities in the future.

For more details on managing your APIs, see Import APIs.

API Contract Generator in IDEs

We have introduced a new feature, API Contract Generator, into our existing IDE extensions. API Contract Generator avoids having to start from scratch and manually defining a whole OpenAPI definition. If you have an existing API implementation but no OpenAPI definition for it, you can use API Contract Generator to automatically generate one for it.

Just upload up to 10 files as input — Postman collections as JSON files, HAR files generated with the browser developer tools, or a mix of the two — and API Contract Generator generates an OpenAPI definition for your API, directly in your IDE. You can then open the generated API definition in your IDE to continue working on it, or save it for later.

For more details, see API Contract Generator in IDEs.

In addition, our IDE extensions now support the dark mode in the SwaggerUI preview.

We have also fixed a bug that prevented saving the TTL value when configuring authentication details for a bearer token in a scan configuration in IDEs.

Other improvements

We have also done some other, smaller improvements:

• If available, the audit score of an API is now also shown in the API collection view even if Security Audit finds semantic issues in the API.
• We have fixed a bug in value generation in API Scan.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• NEW: 42crunch/apifirewall:v1.2.0
  • Support for the OAS v3.1
  • Upgrade to go-1.25.6 (CVE-2025-68121, CVE-2025-61728, CVE-2025-61726, CVE-2025-61731, CVE-2025-68119)
  • Upgrade to openssl 3.5.5 (CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/apifirewall:v1.1.16
  • Upgrade to httpd-2.4.66 (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
  • Upgrade to golang-1.25.5 (CVE-2025-61727, CVE-2025-61729)
• 42crunch/apifirewall:v1.1.15
  • Upgrade to PCRE2-10.46 (CVE-2025-58050)
• 42crunch/apifirewall:v1.1.14
  • Upgrade to openssl-3.5.4 (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
  • Upgrade to libexpat-2.7.3 (CVE-2025-59375)
  • Upgrade to go-1.25.3 (CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, CVE-2025-61725)
• 42crunch/apifirewall:v1.1.13
  • Upgrade to httpd-2.4.65 (CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090)
• 42crunch/apifirewall:v1.1.12
  • Fixed handling of schema validating errors
  • Upgrade to go-1.24.4 (CVE-2024-45338)
  • Upgrade to go-grpc 1.73.0
• 42crunch/apifirewall:v1.1.11
  • Fixed resource consumption on graceful restart
•  42crunch/apifirewall:v1.1.9
  • Upgrade to expat 2.7.0-r0 (CVE-2024-8176)
  • Upgrade to golang.org/x/net 0.36.0 (CVE-2025-22870)
• 42crunch/apifirewall:v1.1.8
  • Upgrade to openssl-3.3.3 (CVE-2024-12797, CVE-2024-13176)
• 42crunch/apifirewall:v1.1.7
  • Fixed the failure in forwarding large request bodies
  • Upgrade to go-1.23.4 (CVE-2024-45338)
• 42crunch/apifirewall:v1.1.6
  • Upgrade to openssl-3.3.2-r1 (CVE-2024-9143)
• 42crunch/apifirewall:v1.1.5
  • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported. We highly recommend that you switch to the latest image version to take the full advantage of the new features and security improvements.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

API Scan images

This release is compatible with the following API Scan images for running it on-premises. The major release number indicates if the image is for Scan v1 or Scan v2 engine.

Scan v2

• NEW: 42crunch/scand-agent:v2.53.0
  • Fixed value generation on conformance tests
  • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/scand-agent:v2.52.0
  • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
• 42crunch/scand-agent:v2.51.0
  • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
  • Fixed including nested objects in arrays in requests
• 42crunch/scand-agent:v2.50.2
  • Upgrade to Golang 1.25.3 (CVE-2025-58185)
  • Adjusted proxy behavior
  • Fixed handling of examples in test generation
• 42crunch/scand-agent:v2.50.0
  • Upgrade to Golang 1.25.1 (CVE-2025-47906)
  • Fixed generating a value for a test in case of an overflow
  • Fixed calculation of estimated tests in case of skipped tests
  • Fixed parsing error with long strings of numbers
• 42crunch/scand-agent:v2.49.0
  • Support for drift scan
• 42crunch/scand-agent:v2.48.0
  • Ignore unsupported operations during scan
  • Fixed calculation of estimated tests and executed tests
  • Fixed variable replacement in Scan v2 in v1-compatible mode
• 42crunch/scand-agent:v2.47.0
  • Ignore unsupported methods
  • X-Scan-Transactionid included in every request
  • Upgrade to chi v5.2.2 (CWE-601)
• 42crunch/scand-agent:v2.46.3
  • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
• 42crunch/scand-agent:v2.46.1
  • Scan rules defined in the platform taken into account in scans
  • URL normalization
• 42crunch/scand-agent:v2.45.0
  • Upgrade to Golang 1.24.2 (CVE-2025-22871)
  • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Scan v1

• NEW: 42crunch/scand-agent:v1.53.0
  • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/scand-agent:v1.52.0
  • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
• 42crunch/scand-agent:v1.51.0
  • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
  • Fixed including nested objects in arrays in requests
• 42crunch/scand-agent:v1.50.2
  • Upgrade to Golang 1.25.3 (CVE-2025-58185)
  • Adjusted proxy behavior
• 42crunch/scand-agent:v1.50.0
  • Upgrade to Golang 1.25.1 (CVE-2025-47906)
• 42crunch/scand-agent:v1.49.0
  • Internal cleanup and refactoring
• 42crunch/scand-agent:v1.48.0
  • Fixed scan report size checks
• 42crunch/scand-agent:v1.47.0
  • Ignore unsupported HTTP methods
  • X-Scan-Transactionid included in every request
  • Upgrade to chi v5.2.2 (CWE-601)
•  42crunch/scand-agent:v1.46.3
  • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
• 42crunch/scand-agent:v1.46.0
  • Internal cleanup and refactoring
• 42crunch/scand-agent:v1.45.0
  • Upgrade to Golang 1.24.2 (CVE-2025-22871)
  • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Deprecated components

The following have been deprecated and will be removed in the future.

Deprecated API Scan images

The following versions of the 42crunch/scand-agent Docker image have been deprecated and will be removed in August 2026. See Deprecated API Scan images.

Deprecated Scan v2 images

• 42crunch/scand-agent:v2.0.21
• 42crunch/scand-agent:v2.0.20
• 42crunch/scand-agent:v2.0.19
• 42crunch/scand-agent:v2.0.18
• 42crunch/scand-agent:v2.0.17
•  42crunch/scand-agent:v2.0.15
• 42crunch/scand-agent:v2.0.13
• 42crunch/scand-agent:v2.0.12
• 42crunch/scand-agent:v2.0.11
• 42crunch/scand-agent:v2.0.10
• 42crunch/scand-agent:v2.0.9
• 42crunch/scand-agent:v2.0.8
• 42crunch/scand-agent:v2.0.7
• 42crunch/scand-agent:v2.0.6
• 42crunch/scand-agent:v2.0.4
• 42crunch/scand-agent:v2.0.3

Deprecated Scan v1 images

• 42crunch/scand-agent:v1.22.27
• 42crunch/scand-agent:v1.22.25
• 42crunch/scand-agent:v1.22.24
• 42crunch/scand-agent:v1.22.23
• 42crunch/scand-agent:v1.22.21
• 42crunch/scand-agent:v1.22.20
• 42crunch/scand-agent:v1.22.19
• 42crunch/scand-agent:v1.22.18
• 42crunch/scand-agent:v1.22.17
• 42crunch/scand-agent:v1.22.16
• 42crunch/scand-agent:v1.22.15
• 42crunch/scand-agent:v1.22.14
• 42crunch/scand-agent:v1.22.13
• 42crunch/scand-agent:v1.22.12
• 42crunch/scand-agent:v1.22.11
• 42crunch/scand-agent:v1.22.9
• 42crunch/scand-agent:v1.22.8
• 42crunch/scand-agent:v1.22.7
• 42crunch/scand-agent:v1.22.6
• 42crunch/scand-agent:v1.22.4

Known issues

This release has the following known issues.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that API Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of API Scan and scan rules in these cases, and this issue will be fixed in a future release.