Skip to main content
Version: v43

Release Notes for This Release

43.0

2026-03-16

PrivX 43.0 is a major release that introduces new features.

After this release, we provide security and stability fixes for PrivX 42.x, 41.x, and 40.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Supported upgrade paths to this release are:

  • Upgrade with downtime: 40.x, 41.x, 42.x.
  • Zero-downtime upgrade: 42.x.

The latest PrivX LTS version is v36, which can be obtained here.

Important Notes for This Release

Next PrivX LTS will be based on v43

The next PrivX LTS release will be a point release of PrivX v43, expected to release in Q2 2026. Customers using v36 LTS should begin preparations for the future LTS-to-LTS upgrade.

PrivX v36 LTS will continue to be supported until the end of 2026.

HSM ECDSA enabled by default (since v43) Fresh deployments of PrivX v43 and later will have HSM-backed ECDSA support on by default. ECDSA isn't automatically enabled for upgrades from earlier PrivX versions. For more information about HSM ECDSA support, see HSM ECDSA support.

Kubernetes 1.23 required (since v42)

Kubernetes deployments of PrivX 42 and later will require the Kubernetes to be version 1.23 or later.

License required for FIPS mode (since v41)

From v41 and later, PrivX requires a license for enabling FIPS mode: If you are running PrivX v40 in FIPS mode, ensure that your license allows FIPS before upgrading to v41 or later.

v41 Extenders not backwards-compatible (since v41)

Due to Extender protocol change, v41 PrivX Extenders can't be used with prior PrivX versions. However, older PrivX-Extender versions will still work with PrivX v41.

Deprecation Warnings

Kyber KEX to be deprecated

The Kyber algorithm is considered obsolete. For this reason the KEX suite ecdh-nistp521-kyber1024-sha512@ssh.com shall be dropped from the default algorithms list in a future PrivX release. However, PrivX will continue supporting the ecdh-nistp521-kyber1024-sha512@ssh.com KEX suite until further notice.

PostgreSQL 12 and 13 support to be deprecated

Support for end-of-life PostgreSQL versions 12 and 13 shall no longer be maintained from PrivX versions released after 2026. We recommend beginning preparations for database upgrade if you're running PrivX with any of the affected PostgreSQL versions.

PrivX versions released in 2027 and later may continue to work with PostgreSQL 12/13. However, we will no longer develop fixes for any breaking changes introduced to PostgreSQL 12/13.

HAProxy as Ingress Controller of choice The current preferred Nginx Ingress Controller is being retired. Starting from PrivX v44, we will be moving to HAProxy as the Ingress Controller of choice.

In the future we plan to move PrivX to use the Kubernetes Gateway API instead.

Bitnami Ingress Controller deprecated (since v42)

The Bitnami public catalog has disabled new versions, and we have decided to move PrivX away from supporting Bitnami.

In PrivX 42 the example Kubernetes setups are described with an Nginx Ingress Controller. However, you may choose any Ingress Controller that satisfies the requirements described here.

privx-agent to be deprecated

After PrivX v43 we will no longer release new versions of PrivX Agents. Existing PrivX-Agent versions will continue working with PrivX APIs. However, we will no longer develop fixes for any breaking changes introduced in future PrivX versions.

New Features

  • [PX-3891] API-Proxy feature improvements. Mainly for Kubernetes support.
    • New authentication methods to API targets: basic authentication, client certificate, and ephemeral certificate authentication.
    • Support retrieving client credentials in kubeconfig format. Supports token and certificate authentication methods.
    • New option to automatically terminate a user's API target session when they have no active PrivX logins.
    • Improve the searchability of recorded API sessions.
  • [PX-7957] Additional options can be modified without needing to restart PrivX. For a list of available PrivX settings, see PrivX Settings.
  • [PX-8133] SERVER_ONLY mode for Connection Manager.
    • PrivX Server in SERVER_ONLY mode only serves user requests. It won't perform Connection Manager housekeeping tasks. This improves performance in environments with, for example, slow disk operations.
  • [PX-8180] PrivX 43 as the base for Next LTS Release.
  • [PX-8196] [PrivX SBOM] is available per customer request.
  • [PX-8332] PrivX VPAT report refresh.
  • [PX-8415] SSH bastion syntax support alternative separator than default %.

Bug Fixes and Improvements

  • [PX-7901] Target Domains: Removing / re-adding account in AD results in new and managed user simultaneously.
  • [PX-7971] privx-carrier and privx-web-proxy: include local-env from systemd service files.
  • [PX-8093] Modifications to target-domain settings aren't logged correctly.
  • [PX-8096] Fix CA hierarchy when reading certificate chains from file.
  • [PX-8136] Compute subjectKeyID using a method other than SHA-1.
  • [PX-8159] Access Groups with corrupted CA IDs are not handled.
  • [PX-8192] monitor-service / extender-service: external component status handling does not treat stale data correctly.
  • [PX-8194] Optimize CAS endpoint to not use HSM.
  • [PX-8205] Host search is slow when sorting by common_name.
  • [PX-8216] api-proxy: client credential last used timestamp is updated to db also during zdu.
  • [PX-8227] "... is about to expire" audit events shouldn't be created for revoked certificates.
  • [PX-8236] Monitoring/Connections search returns too many users' roles.
  • [PX-8276] Maximum number of roles increased to 15000. Used to be 10000.
  • [PX-8282] Native-client sessions are no longer automatically logged out when the user's GUI session expires.
  • [PX-8282] SSH Bastion / RDP Bastion: session inactivity logic causes Bastion login sessions to get invalidated.
  • [PX-8336] Role store status is set to RUNNING at startup before everything is ready.
  • [PX-8340] UEBA component does not appear in PrivX.
  • [PX-8365] VNC Web Connections: kiosk mode doesn't work in chromium containers.
  • [PX-8415] ssh-mitm: interactive target selection is broken due to RDS changes.
  • [PX-8445] Cloud host instance tag import broken.
  • [PX-8334] Target domain Active Directory search regression when paging is needed.
  • [PX-8306] Target domain managed accounts periodic rotation is inconsistent.
  • [PX-8275] Increase default value for MaxEntries cache setting for role-store.
  • [PX-8185] Extender v2 in HA setup does not support load balancing to node with least connections.
    • Load balancing for Extender v2s under the same mode (all Extenders under the same routing prefix in normal mode or in forward/passive modes) works for load balancing tunnels connected to the node in use. Further improvements shall be included in future versions.
  • [PX-8425] role-store rule-evaluation logging improvement.

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location: 
      # scp -i key.pem principals_command.sh user@target:/tmp/
      # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
  • [PX-2947] No sound when viewing recorded rdp-mitm connection.
  • [PX-3086] PrivX role mapping to AD OU not working as expected.
  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-3655] remoteApp cannot be restored after it's minimized
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4778] RDP-PROXY: file under scanning can not be overwritten
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
  • [PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser
  • [PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end
  • [PX-8190] Backup / restore script doesn't restore Nginx configuration

Notable API Changes

  • GET connection-manager/api/v1/connections/<connection_id> - Supports a new verbose path parameter. Full snapshot data is returned if the param is omitted or is set to verbose=true. When verbose=false, user_roles will be omitted, and user snapshot data will contain only relevant roles for the connection.

    Starting from PrivX v43, searches on the Monitoring→Connections page will use verbose=false. This should improve performance in environments where users have lots of roles but only a subset is related to the connection. When viewing a trail via the GUI, you can still see all the user's roles by clicking Show All User Roles.

  • With the following endpoints for retrieving user secrets, you can now use the format=kubeconfig option to retrieve the data in kubeconfig format:

    • GET /api-proxy/api/<api_version>/users/current/client-credentials/<id>/secret
    • GET /api-proxy/api/<api_version>/users/<user_id>/client-credentials/<id>/secret