42Crunch Platform release, May 14, 2026

This 42Crunch API Security Platform release brings direct links to issues in audit and scan report, and introduces support for GraphQL federation.

New features

The following are the new features and improvements to the existing ones in this release.

Improvements to Scan v2

There have been several improvements to different aspects of Scan v2.

The scan report has been simplified to be cleaner and more security-focused on the platform UI.

The screenshot shows how there are less columns in the new Scan v2 report and the coumns have been reordered so that severity is listed as the first column.

  • The order of the columns has been changed to give better at-a-glance view of the security posture of your API implementation
  • There are less columns to reduce the noise and making it easy to focus on the important things
  • Full details are still available when you click an issue for more details

In the same vein, we have also changed the list of scan configuration to provide a cleaner look and to make it easier to see which configurations have already been used and which have not.

An example screenshot showing the Pixi API with five different scan configurations.

Running Scan v2 in 42Crunch Platform can now also be launched in from the main menu and from the API actions, just like Scan v1. For more details, see Use API Scan v2 engine.

We have renamed dynamic tests to identity tests to clarify what they are about, see Identity tests.

We have also fixed how Content-Type headers are sent when testing the content type handling and how they are logged in the cURL command.

Direct links to issues in audit and scan reports

You can now copy and share a link that will take the recipient directly to an audit or scan issue discovered in a particular API, utilizing the unique fingerprint ID that every discovered issue gets.

The user must have at least read-only access to the API collection where the API in question is located, otherwise they cannot access the report.

Support for GraphQL federation

We have added support for GraphQL federation. In addition to GraphQL schema definitions (full GraphQL APIs), you can now also import GraphQL data definitions (API "fragments") and GraphQL federation files (supergraphs) into 42Crunch Platform. This lets you gather all subgraphs and the related supergraph into the same API collection and test them together.

GraphQL federation is currently supported in Security Audit. For more details, see GraphQL file types and Security Audit. We continue to enhance GraphQL federation support in future releases.

Other improvements to GraphQL support include:

  • Better happy path request descriptions in the scan report. Now, the descriptions provide details, for example, why exactly a particular happy path request failed, just like when scanning OpenAPI definitions.
  • Upgrade to the GraphQL parser to a new version to fix bad values in some location pointers in reports. Now, all found issues take you to the correct place in your API definition.
  • Change to how API Scan generates values for float properties. Previously, API Scan might use NaN (Not a Number) as a value in the fuzzing tests. Because NaN cannot be marshalled into JSON, this could cause API Scan to fail. Now, API Scan no longer uses NaN in the fuzzing tests.

Support for GraphQL is not enabled by default, but is available as a separate subscription. If you are interested in adding GraphQL support to your subscription, contact sales@42crunch.com.
GraphQL is not yet supported in API Protection, CI/CD plugins, data dictionaries, or API Contract Generator.

Improvements to Security Audit

The property mutuaTls as authentication type in OpenAPI v3.1.x definitions is now correctly considered as strong authentication.

We have also fixed a rounding error in the statistics in audit reports that might cause percentages to add up to over 100%.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • NEW: 42crunch/apifirewall:v1.2.4
    • Upgrade to golang-1.26.3 (CVE-2026-32283, CVE-2026-32282, CVE-2026-27144, CVE-2026-27140, CVE-2026-27143, CVE-2026-33810, CVE-2026-32289, CVE-2026-32288, CVE-2026-42501, CVE-2026-27142, CVE-2026-39836)
    • Upgrade to openssl-3.5.6 (CVE-2026-31789, CVE-2026-28387, CVE-2026-40200, CVE-2026-2673)
    • Upgrade to httpd-2.4.67 (CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/apifirewall:v1.2.3
    • Upgrade to go-1.26.1
  • 42crunch/apifirewall:v1.2.2
    • Upgrade to go-grpc 1.79.3 (CVE-2026-33186)
    • Fixed a regression in handling the keyword nullable
    • Upgrade to go-1.25.8 (CVE-2026-27142, CVE-2026-25679)
    • Upgrade to go-grpc 1.79.0
  • 42crunch/apifirewall:v1.2.0
    • Support for the OAS v3.1
    • Upgrade to go-1.25.6 (CVE-2025-68121, CVE-2025-61728, CVE-2025-61726, CVE-2025-61731, CVE-2025-68119)
    • Upgrade to openssl 3.5.5 (CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796)
  •  42crunch/apifirewall:v1.1.16
    • Upgrade to httpd-2.4.66 (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
    • Upgrade to golang-1.25.5 (CVE-2025-61727, CVE-2025-61729)
  • 42crunch/apifirewall:v1.1.15
    • Upgrade to PCRE2-10.46 (CVE-2025-58050)
  • 42crunch/apifirewall:v1.1.14
    • Upgrade to openssl-3.5.4 (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
    • Upgrade to libexpat-2.7.3 (CVE-2025-59375)
    • Upgrade to go-1.25.3 (CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, CVE-2025-61725)
  • 42crunch/apifirewall:v1.1.13
    • Upgrade to httpd-2.4.65 (CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090)
  • 42crunch/apifirewall:v1.1.12
    • Fixed handling of schema validating errors
    • Upgrade to go-1.24.4 (CVE-2024-45338)
    • Upgrade to go-grpc 1.73.0
  • 42crunch/apifirewall:v1.1.11
    • Fixed resource consumption on graceful restart
  •  42crunch/apifirewall:v1.1.9
    • Upgrade to expat 2.7.0-r0 (CVE-2024-8176)
    • Upgrade to golang.org/x/net 0.36.0 (CVE-2025-22870)
  • 42crunch/apifirewall:v1.1.8
    • Upgrade to openssl-3.3.3 (CVE-2024-12797, CVE-2024-13176)
  • 42crunch/apifirewall:v1.1.7
    • Fixed the failure in forwarding large request bodies
    • Upgrade to go-1.23.4 (CVE-2024-45338)
  • 42crunch/apifirewall:v1.1.6
    • Upgrade to openssl-3.3.2-r1 (CVE-2024-9143)
  • 42crunch/apifirewall:v1.1.5
    • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported. We highly recommend that you switch to the latest image version to take the full advantage of the new features and security improvements.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

API Scan images

This release is compatible with the following API Scan images for running it on-premises. The major release number indicates if the image is for Scan v1 or Scan v2 engine.

Scan v2

  • NEW: 42crunch/scand-agent:v2.56.0
    • Upgrade to Golang 1.26.3 (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499)
    • Upgrade to opentelemetry-go 1.43.0 (CVE-2026-39883)
    • Fixed sending of Content-Type headers when testing the content type handling

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.55.1
    • Upgrade to Golang 1.26.2 (CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810)
    • Fixed running of all scan types
  • 42crunch/scand-agent:v2.55.0
    • Fixed value generation for oneOf schemas with multiple accepted object types
    • Fixed handling of empty input objects in GraphQL APIs
    • Increased maximum length of returned responses for GraphQL APIs
  • 42crunch/scand-agent:v2.54.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
    • Improvements to GraphQL support
    • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)
  • 42crunch/scand-agent:v2.53.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
  • 42crunch/scand-agent:v2.53.1
    • Fix to scan runtime settings
  • 42crunch/scand-agent:v2.53.0
    • Fixed value generation on conformance tests
    • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
  • 42crunch/scand-agent:v2.52.0
    • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
  • 42crunch/scand-agent:v2.51.0
    • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
    • Fixed including nested objects in arrays in requests
  • 42crunch/scand-agent:v2.50.2
    • Upgrade to Golang 1.25.3 (CVE-2025-58185)
    • Adjusted proxy behavior
    • Fixed handling of examples in test generation
  • 42crunch/scand-agent:v2.50.0
    • Upgrade to Golang 1.25.1 (CVE-2025-47906)
    • Fixed generating a value for a test in case of an overflow
    • Fixed calculation of estimated tests in case of skipped tests
    • Fixed parsing error with long strings of numbers
  • 42crunch/scand-agent:v2.49.0
    • Support for drift scan
  • 42crunch/scand-agent:v2.48.0
    • Ignore unsupported operations during scan
    • Fixed calculation of estimated tests and executed tests
    • Fixed variable replacement in Scan v2 in v1-compatible mode
  • 42crunch/scand-agent:v2.47.0
    • Ignore unsupported methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  • 42crunch/scand-agent:v2.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v2.46.1
    • Scan rules defined in the platform taken into account in scans
    • URL normalization
  • 42crunch/scand-agent:v2.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • NEW: 42crunch/scand-agent:v1.56.0
    • Upgrade to Golang 1.26.3 (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499)
    • Upgrade to opentelemetry-go 1.43.0 (CVE-2026-39883)
    • Fixed sending of Content-Type headers when testing the content type handling

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.55.1
    • Upgrade to Golang 1.26.2 (CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810)
  • 42crunch/scand-agent:v1.55.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.54.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
    • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)
  • 42crunch/scand-agent:v1.53.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
  • 42crunch/scand-agent:v1.53.1
    • Fix to scan runtime settings
  • 42crunch/scand-agent:v1.53.0
    • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
  •  42crunch/scand-agent:v1.52.0
    • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
  • 42crunch/scand-agent:v1.51.0
    • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
    • Fixed including nested objects in arrays in requests
  • 42crunch/scand-agent:v1.50.2
    • Upgrade to Golang 1.25.3 (CVE-2025-58185)
    • Adjusted proxy behavior
  • 42crunch/scand-agent:v1.50.0
    • Upgrade to Golang 1.25.1 (CVE-2025-47906)
  • 42crunch/scand-agent:v1.49.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.48.0
    • Fixed scan report size checks
  • 42crunch/scand-agent:v1.47.0
    • Ignore unsupported HTTP methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  •  42crunch/scand-agent:v1.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v1.46.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Changed behavior

By default, Scan v2 now marks all environmental variables, for example, for authentication details as required during the runtime. This makes omitting anything defined in your API definition from a scan an informed choice and reduces unintentional exclusions that could cause, for example, unexpected happy path failures.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Navigating from audit report issue details to Security Editor not working

If you are viewing issue details in the audit report in 42Crunch Platform and try to go to Security Editor to fix it, instead of taking you to Security Editor, the audit report is reloaded. Security Editor itself is still working, so if you go directly to Security Editor and view the audit report there, you can find the location of all issues in your API definition and fix them. Or you can run Security Audit in your IDE and fix issues there.

The navigation from the audit report to Security Editor will be fixed in the next release.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that API Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of API Scan and scan rules in these cases, and this issue will be fixed in a future release.