Release Notes for This Release



Deprecation Warnings

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 27.x, 26.x, and 25.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (26.x, 25.x, 24.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New features

Improvements and bug fixes

  • [PX-5067] privx-on-aws updated to support AWS CDK v2
  • [PX-5382] OIDC redirect URL glob support to allow wildcards
  • [PX-5468] External token provider page title change
  • [PX-5502] Make SCIM MaxResults configurable
  • [PX-5507] Send key combination Ctrl-Esc in RDP/VNC session
  • [PX-5434] PrivX Go/Python SDKs to include IDP and UEBA endpoints
  • [PX-5523] privx-cli new commands to invoke new IDP and UEBA endpoints
  • [PX-4467] Settings PUT endpoint allows incorrect values for hostkey_algorithms
  • [PX-5411] WEB-PROXY: wrong version number in status information
  • [PX-5560] RDP-proxy ICAP file scanning regression fixed
  • [PX-5479] Connection manager performance improvements

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the to correct location:

      # scp -i key.pem [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/ /etc/ssh/"

  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
  • [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
  • [PX-5593] Cancel of adding of passkey gives an error
  • [PX-5608] UI shows an error even connection succeeds



Chromium password manager not yet supported for Chromium containers.