42Crunch Platform release, June 17, 2026

This 42Crunch API Security Platform release adds GraphQL federation support to API Scan.

New features

The following are the new features and improvements to the existing ones in this release.

Support for GraphQL federation in API Scan

We have extended the support for GraphQL federation to API Scan so that you can now run a scan to discover API implementation issues across your whole federation.

When you generate a scan configuration for a GraphQL supergraph, the configuration automatically covers all schema definition files (full GraphQL APIs) and data definition files (API "fragments") referenced in the supergraph. When you run the scan, the tests cover the whole implementation defined in the supergraph. You can also continue to scan schema definition files independently, but data definition files can only be scanned through the supergraph referencing them.

GraphQL federation support is available in 42Crunch Platform, for more details, see Use API Scan v2 engine. GraphQL federation is not supported in IDEs.

We have also fixed the handling of a non-list GraphQL type definition that includes a list directive when generating a scan configuration.

We continue to enhance GraphQL federation and GraphQL support in future releases.

Support for GraphQL is not enabled by default, but is available as a separate subscription. If you are interested in adding GraphQL support to your subscription, contact sales@42crunch.com.
GraphQL is not yet supported in API Protection, CI/CD plugins, data dictionaries, or API Contract Generator.

New fail-on condition for scan security quality gates

You can now set a scan security quality gate (SQG) to reject the API if one or more happy path tests failed during the scan. This is available for both OpenAPI definitions and GraphQL files. We have also clarified the descriptions of the other quality criteria for strict conformance, see Security quality gates in API Scan.

In addition, we have improved the following:

  • Fixed handling of the format date in Scan v2 engine when generating scan requests
  • Fixed the caching when generating scan configurations that in some cases could lead to circular reference preventing the generation of scan report

Other improvements

We have fixed the navigation from the issue details in the audit on the platform UI to fixing it in Security Editor.

We have also improved some slow-performing SQL queries that could cause performance issues in large organizations with plenty of API collections. We will continue to improve other SQL queries in the next release.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • NEW: 42crunch/apifirewall:v1.2.7
    • Upgrade to openssl-3.5.7 (CVE-2026-34180, CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, CVE-2026-42764, CVE-2026-42765, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447, CVE-2026-7383, CVE-2026-9076)
  • NEW: 42crunch/apifirewall:v1.2.6
    • Fix loading some OpenAPI definitions that failed with an error on unresolved reference
    • Upgrade to httpd-2.4.68 (CVE-2026-29167, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186, CVE-2026-44631, CVE-2026-48913, CVE-2026-49975)
    • Upgrade to golang-1.26.4 (CVE-2026-27145, CVE-2026-42504, CVE-2026-42507)
    • Upgrade to go-net v0.55.0 (CVE-2026-39821)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/apifirewall:v1.2.4
    • Upgrade to golang-1.26.3 (CVE-2026-32283, CVE-2026-32282, CVE-2026-27144, CVE-2026-27140, CVE-2026-27143, CVE-2026-33810, CVE-2026-32289, CVE-2026-32288, CVE-2026-42501, CVE-2026-27142, CVE-2026-39836)
    • Upgrade to openssl-3.5.6 (CVE-2026-31789, CVE-2026-28387, CVE-2026-40200, CVE-2026-2673)
    • Upgrade to httpd-2.4.67 (CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059)
  • 42crunch/apifirewall:v1.2.3
    • Upgrade to go-1.26.1
  • 42crunch/apifirewall:v1.2.2
    • Upgrade to go-grpc 1.79.3 (CVE-2026-33186)
    • Fixed a regression in handling the keyword nullable
    • Upgrade to go-1.25.8 (CVE-2026-27142, CVE-2026-25679)
    • Upgrade to go-grpc 1.79.0
  • 42crunch/apifirewall:v1.2.0
    • Support for the OAS v3.1
    • Upgrade to go-1.25.6 (CVE-2025-68121, CVE-2025-61728, CVE-2025-61726, CVE-2025-61731, CVE-2025-68119)
    • Upgrade to openssl 3.5.5 (CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796)
  •  42crunch/apifirewall:v1.1.16
    • Upgrade to httpd-2.4.66 (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
    • Upgrade to golang-1.25.5 (CVE-2025-61727, CVE-2025-61729)
  • 42crunch/apifirewall:v1.1.15
    • Upgrade to PCRE2-10.46 (CVE-2025-58050)
  • 42crunch/apifirewall:v1.1.14
    • Upgrade to openssl-3.5.4 (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
    • Upgrade to libexpat-2.7.3 (CVE-2025-59375)
    • Upgrade to go-1.25.3 (CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, CVE-2025-61725)
  • 42crunch/apifirewall:v1.1.13
    • Upgrade to httpd-2.4.65 (CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090)
  • 42crunch/apifirewall:v1.1.12
    • Fixed handling of schema validating errors
    • Upgrade to go-1.24.4 (CVE-2024-45338)
    • Upgrade to go-grpc 1.73.0
  • 42crunch/apifirewall:v1.1.11
    • Fixed resource consumption on graceful restart
  •  42crunch/apifirewall:v1.1.9
    • Upgrade to expat 2.7.0-r0 (CVE-2024-8176)
    • Upgrade to golang.org/x/net 0.36.0 (CVE-2025-22870)
  • 42crunch/apifirewall:v1.1.8
    • Upgrade to openssl-3.3.3 (CVE-2024-12797, CVE-2024-13176)
  • 42crunch/apifirewall:v1.1.7
    • Fixed the failure in forwarding large request bodies
    • Upgrade to go-1.23.4 (CVE-2024-45338)
  • 42crunch/apifirewall:v1.1.6
    • Upgrade to openssl-3.3.2-r1 (CVE-2024-9143)
  • 42crunch/apifirewall:v1.1.5
    • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported. We highly recommend that you switch to the latest image version to take the full advantage of the new features and security improvements.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

API Scan images

This release is compatible with the following API Scan images for running it on-premises. The major release number indicates if the image is for Scan v1 or Scan v2 engine.

Scan v2

  • NEW: 42crunch/scand-agent:v2.57.0
    • Support for GraphQL federation
    • Fixed handling of the format date when generating scan requests

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.56.3
    • Upgrade to Golang 1.26.4 (CVE-2026-27145, CVE-2026-42504, CVE-2026-42507)
    • Updated Go dependencies (CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835)
    • Improved handling of values from x-42c-sample when scanning GraphQL files
    • Improvements to the handling of path parameters in the test parameter-required-scan
  • 42crunch/scand-agent:v2.56.1
    • Updated Go dependencies (GHSA-gxhx-2686-5h9g)
    • Fixed handling of OpenAPI schemas that have minimum defined but not maximum
    • Fixed array tests for OpenAPI definitions that have nested arrays with an empty sub array
  • 42crunch/scand-agent:v2.56.0
    • Upgrade to Golang 1.26.3 (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499)
    • Upgrade to opentelemetry-go 1.43.0 (CVE-2026-39883)
    • Fixed sending of Content-Type headers when testing the content type handling
  • 42crunch/scand-agent:v2.55.1
    • Upgrade to Golang 1.26.2 (CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810)
    • Fixed running of all scan types
  • 42crunch/scand-agent:v2.55.0
    • Fixed value generation for oneOf schemas with multiple accepted object types
    • Fixed handling of empty input objects in GraphQL APIs
    • Increased maximum length of returned responses for GraphQL APIs
  • 42crunch/scand-agent:v2.54.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
    • Improvements to GraphQL support
    • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)
  • 42crunch/scand-agent:v2.53.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
  • 42crunch/scand-agent:v2.53.1
    • Fix to scan runtime settings
  • 42crunch/scand-agent:v2.53.0
    • Fixed value generation on conformance tests
    • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
  • 42crunch/scand-agent:v2.52.0
    • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
  • 42crunch/scand-agent:v2.51.0
    • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
    • Fixed including nested objects in arrays in requests
  • 42crunch/scand-agent:v2.50.2
    • Upgrade to Golang 1.25.3 (CVE-2025-58185)
    • Adjusted proxy behavior
    • Fixed handling of examples in test generation
  • 42crunch/scand-agent:v2.50.0
    • Upgrade to Golang 1.25.1 (CVE-2025-47906)
    • Fixed generating a value for a test in case of an overflow
    • Fixed calculation of estimated tests in case of skipped tests
    • Fixed parsing error with long strings of numbers
  • 42crunch/scand-agent:v2.49.0
    • Support for drift scan
  • 42crunch/scand-agent:v2.48.0
    • Ignore unsupported operations during scan
    • Fixed calculation of estimated tests and executed tests
    • Fixed variable replacement in Scan v2 in v1-compatible mode
  • 42crunch/scand-agent:v2.47.0
    • Ignore unsupported methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  • 42crunch/scand-agent:v2.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v2.46.1
    • Scan rules defined in the platform taken into account in scans
    • URL normalization
  • 42crunch/scand-agent:v2.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • NEW: 42crunch/scand-agent:v1.57.0
    • Internal cleanup and refactoring

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.56.3
    • Upgrade to Golang 1.26.4 (CVE-2026-27145, CVE-2026-42504, CVE-2026-42507)
    • Updated Go dependencies (CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835)
  • 42crunch/scand-agent:v1.56.1
    • Updated Go dependencies (GHSA-gxhx-2686-5h9g)
  • 42crunch/scand-agent:v1.56.0
    • Upgrade to Golang 1.26.3 (CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499)
    • Upgrade to opentelemetry-go 1.43.0 (CVE-2026-39883)
    • Fixed sending of Content-Type headers when testing the content type handling
  • 42crunch/scand-agent:v1.55.1
    • Upgrade to Golang 1.26.2 (CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810)
  • 42crunch/scand-agent:v1.55.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.54.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
    • Upgrade to Golang 1.26.1 (CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142)
  • 42crunch/scand-agent:v1.53.2
    • Upgrade to google.golang.org/grpc v1.79.3 (CVE-2026-33186)
  • 42crunch/scand-agent:v1.53.1
    • Fix to scan runtime settings
  • 42crunch/scand-agent:v1.53.0
    • Upgrade to Golang 1.25.6 (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730)
  •  42crunch/scand-agent:v1.52.0
    • Upgrade to golang.org/x/crypto v0.45.0 (CVE-2025-47914, CVE-2025-58181)
  • 42crunch/scand-agent:v1.51.0
    • Upgrade to golang.org/x/crypto v0.44.0 (CVE-2025-47913)
    • Fixed including nested objects in arrays in requests
  • 42crunch/scand-agent:v1.50.2
    • Upgrade to Golang 1.25.3 (CVE-2025-58185)
    • Adjusted proxy behavior
  • 42crunch/scand-agent:v1.50.0
    • Upgrade to Golang 1.25.1 (CVE-2025-47906)
  • 42crunch/scand-agent:v1.49.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.48.0
    • Fixed scan report size checks
  • 42crunch/scand-agent:v1.47.0
    • Ignore unsupported HTTP methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  •  42crunch/scand-agent:v1.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v1.46.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)

All previous image versions have been deprecated and are no longer supported.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that API Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of API Scan and scan rules in these cases, and this issue will be fixed in a future release.