42Crunch Platform release, March 12, 2026

Platform version: v1.54.x

This 42Crunch API Security Platform release introduces support for the GraphQL specification in 42Crunch Platform.

New features

The following are the new features and improvements to the existing ones in this release.

Support for GraphQL APIs in 42Crunch Platform

In addition to OpenAPI definitions, now you can also work with GraphQL API definitions in 42Crunch Platform.

• Import GraphQL API definitions to API collections in the platform
• Audit the data definition quality and cost analysis capabilities with API Security Audit and get insights into the problems discovered and how to potentially mitigate them
• Generate scan configurations and scan your GraphQL APIs with API Scan to uncover issues in the API implementation
• Define security quality gates (SQGs) to set the minimum quality criteria for your GraphQL APIs to avoid low-quality APIs ending in your code base
• Create customization rules to tweak how Security Audit and API Scan work with your API definitions

In addition to GraphQL APIs are also supported in IDE extensions.

Support for GraphQL is not enabled by default, but is available as a separate subscription. If you are interested in adding GraphQL support to your subscription, contact sales@42crunch.com.
GraphQL is not yet supported in API Protection, CI/CD plugins, data dictionaries, or API Contract Generator.

Instructions on working with GraphQL files are provided in the documentation alongside the instructions for OpenAPI definitions. For more details, see APIs and API collections.

New checks for OpenAPI definitions in Security Audit

We have introduced new best practices checks for Security Audit

Checks for 4XX range in HTTP status response codes

Because the OpenAPI Specification (OAS) allows using the HTTP status response code 4XX to indicate a range of accepted codes, Security Audit no longer reduces your audit score if you have done so in OpenAPI definitions following the OAS v3 or later.

However, because using explicit error codes provides better understanding of your API and how it is used (or abused)it does raise a best practices issue so that you can evaluate if using the range is appropriate option for your needs, Security Audit does raise a best practices issue so that you can evaluate on a case-by-case basis if using the range is appropriate.

For more details, see :

• OAS v3.0.x: Range '4XX' used in the response instead of the explicit error code
• OASv 3.1.x: Range '4XX' used in the response instead of the explicit error code

Because the OAS v2 does not support defining ranges for response codes, this change does not apply to OpenAPI definitions following it and Security Audit continues to work as before on them.

Checks for security-related x-42c extensions

If you have used the security-related x-42c OAS vendor extensions (x-42c-accept-empty-security, x-42c-mtls, or x-42c-no-authentication) in your OpenAPI definition, Security Audit now raises a best practices issue so that you can check that you are using the extension in question correctly.

While there are perfectly legitimate use cases for each of the three extensions, using the wrong extension the wrong way or in the wrong place can hide real security concerns and give false sense of security, and so a little refresher on the right usage may come as a welcome reminder.

For more details, see :

• OAS v2:
  • API definition uses the 'x-42c-accept-empty-security' extension
  • API definition uses the 'x-42c-mtls' extension
  • API definition uses the 'x-42c-no-authentication' extension
• OAS v3.0.x:
  • API definition uses the 'x-42c-accept-empty-security' extension
  • API definition uses the 'x-42c-mtls' extension
  • API definition uses the 'x-42c-no-authentication' extension
• OAS v3.1.x:
  • API definition uses the 'x-42c-accept-empty-security' extension
  • API definition uses the 'x-42c-mtls' extension
  • API definition uses the 'x-42c-no-authentication' extension

Other improvements

We have also fixed a regression in how API Firewall handles the keyword nullable used in the pre-v3.1.x OAS versions.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

• NEW: 42crunch/apifirewall:v1.2.1
  • Fixed a regression in handling the keyword nullable
  • Upgrade to go-1.25.8 (CVE-2026-27142, CVE-2026-25679)
  • Upgrade to go-grpc 1.79.0

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/apifirewall:v1.2.0
  • Support for the OAS v3.1
  • Upgrade to go-1.25.6 (CVE-2025-68121, CVE-2025-61728, CVE-2025-61726, CVE-2025-61731, CVE-2025-68119)
  • Upgrade to openssl 3.5.5 (CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796)
•  42crunch/apifirewall:v1.1.16
  • Upgrade to httpd-2.4.66 (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
  • Upgrade to golang-1.25.5 (CVE-2025-61727, CVE-2025-61729)
• 42crunch/apifirewall:v1.1.15
  • Upgrade to PCRE2-10.46 (CVE-2025-58050)
• 42crunch/apifirewall:v1.1.14
  • Upgrade to openssl-3.5.4 (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
  • Upgrade to libexpat-2.7.3 (CVE-2025-59375)
  • Upgrade to go-1.25.3 (CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, CVE-2025-61725)
• 42crunch/apifirewall:v1.1.13
  • Upgrade to httpd-2.4.65 (CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090)
• 42crunch/apifirewall:v1.1.12
  • Fixed handling of schema validating errors
  • Upgrade to go-1.24.4 (CVE-2024-45338)
  • Upgrade to go-grpc 1.73.0
• 42crunch/apifirewall:v1.1.11
  • Fixed resource consumption on graceful restart
•  42crunch/apifirewall:v1.1.9
  • Upgrade to expat 2.7.0-r0 (CVE-2024-8176)
  • Upgrade to golang.org/x/net 0.36.0 (CVE-2025-22870)
• 42crunch/apifirewall:v1.1.8
  • Upgrade to openssl-3.3.3 (CVE-2024-12797, CVE-2024-13176)
• 42crunch/apifirewall:v1.1.7
  • Fixed the failure in forwarding large request bodies
  • Upgrade to go-1.23.4 (CVE-2024-45338)
• 42crunch/apifirewall:v1.1.6
  • Upgrade to openssl-3.3.2-r1 (CVE-2024-9143)
• 42crunch/apifirewall:v1.1.5
  • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported. We highly recommend that you switch to the latest image version to take the full advantage of the new features and security improvements.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

API Scan images

This release is compatible with the following API Scan images for running it on-premises. The major release number indicates if the image is for Scan v1 or Scan v2 engine.

Scan v2

• NEW: 42crunch/scand-agent:v2.54.0
  • Improvements to GraphQL support
  • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/scand-agent:v2.53.1
  • Fix to scan runtime settings
• 42crunch/scand-agent:v2.53.0
  • Fixed value generation on conformance tests
  • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
• 42crunch/scand-agent:v2.52.0
  • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
• 42crunch/scand-agent:v2.51.0
  • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
  • Fixed including nested objects in arrays in requests
• 42crunch/scand-agent:v2.50.2
  • Upgrade to Golang 1.25.3 (CVE-2025-58185)
  • Adjusted proxy behavior
  • Fixed handling of examples in test generation
• 42crunch/scand-agent:v2.50.0
  • Upgrade to Golang 1.25.1 (CVE-2025-47906)
  • Fixed generating a value for a test in case of an overflow
  • Fixed calculation of estimated tests in case of skipped tests
  • Fixed parsing error with long strings of numbers
• 42crunch/scand-agent:v2.49.0
  • Support for drift scan
• 42crunch/scand-agent:v2.48.0
  • Ignore unsupported operations during scan
  • Fixed calculation of estimated tests and executed tests
  • Fixed variable replacement in Scan v2 in v1-compatible mode
• 42crunch/scand-agent:v2.47.0
  • Ignore unsupported methods
  • X-Scan-Transactionid included in every request
  • Upgrade to chi v5.2.2 (CWE-601)
• 42crunch/scand-agent:v2.46.3
  • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
• 42crunch/scand-agent:v2.46.1
  • Scan rules defined in the platform taken into account in scans
  • URL normalization
• 42crunch/scand-agent:v2.45.0
  • Upgrade to Golang 1.24.2 (CVE-2025-22871)
  • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Scan v1

• NEW: 42crunch/scand-agent:v1.54.0
  • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

• 42crunch/scand-agent:v1.53.1
  • Fix to scan runtime settings
• 42crunch/scand-agent:v1.53.0
  • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
•  42crunch/scand-agent:v1.52.0
  • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
• 42crunch/scand-agent:v1.51.0
  • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
  • Fixed including nested objects in arrays in requests
• 42crunch/scand-agent:v1.50.2
  • Upgrade to Golang 1.25.3 (CVE-2025-58185)
  • Adjusted proxy behavior
• 42crunch/scand-agent:v1.50.0
  • Upgrade to Golang 1.25.1 (CVE-2025-47906)
• 42crunch/scand-agent:v1.49.0
  • Internal cleanup and refactoring
• 42crunch/scand-agent:v1.48.0
  • Fixed scan report size checks
• 42crunch/scand-agent:v1.47.0
  • Ignore unsupported HTTP methods
  • X-Scan-Transactionid included in every request
  • Upgrade to chi v5.2.2 (CWE-601)
•  42crunch/scand-agent:v1.46.3
  • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
• 42crunch/scand-agent:v1.46.0
  • Internal cleanup and refactoring
• 42crunch/scand-agent:v1.45.0
  • Upgrade to Golang 1.24.2 (CVE-2025-22871)
  • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Changed behavior

• Security Audit no longer reduces audit score if you have used the response code 4XX instead of the specific error code in your OpenAPI definition. Depending on your API, this may affect the audit score.
• Security Audit now raises an Info level issue when you have used x-42c-accept-empty-security, x-42c-mtls, or x-42c-no-authentication in your API definition so that you can evaluate that the extension is used correctly. This does not affect your audit score, but depending on your API, you may see increase in the number of issues raised.

Known issues

This release has the following known issues.

Misaligned layout in the scan configuration validation report (SCVR)

When viewing the SCVR report on the UI, some elements are not properly aligned but squahed, making them bit difficult to read.

This will be fixed in the next release.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that API Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of API Scan and scan rules in these cases, and this issue will be fixed in a future release.