Release Notes for This Release
44.0
2026-06-15
PrivX 44.0 is a major release with new features.
After this release, we provide security and stability fixes for three prior PrivX major versions: 44.x, 43.x, and 42.x; older versions aren't officially supported.
The supported upgrade paths to this release are:
- Upgrade with downtime: 41.x, 42.x, 43.x.
- Zero-downtime upgrade: 43.x.
The latest PrivX LTS version is v36. You can get it here.
Important Notes for This Release
API Target IPv6 format changed (since v44)
API target endpoints must enclose IPv6 addresses in square brackets. For example, use [3fff::1] instead of 3fff::1.
After upgrading to PrivX 44 or later, update any existing API targets that use unbracketed IPv6 addresses.
Next PrivX LTS will be based on v43
The next PrivX LTS release will be a point release of PrivX v43. It's expected for Q2 2026. Customers using v36 LTS should start preparing for the future LTS-to-LTS upgrade.
PrivX v36 LTS will remain supported until the end of 2026. If you intend to continue using PrivX LTS releases, we recommend not upgrading to this non-LTS version: there is no supported upgrade path back to 43.x LTS.
HSM ECDSA enabled by default (since v43)
New PrivX v43 and later deployments have HSM-backed ECDSA support enabled by default. Upgrades from earlier PrivX versions do not enable ECDSA automatically. For more information about HSM ECDSA support, see HSM ECDSA support.
Kubernetes 1.23 required (since v42)
PrivX 42 and later Kubernetes deployments require Kubernetes 1.23 or later.
Deprecation Warnings
privx-agent discontinued (since v44)
Starting with PrivX v44, we no longer release new PrivX Agent versions. Existing PrivX Agent versions will continue to work with PrivX APIs. However, we will no longer provide fixes for breaking changes introduced in this or later PrivX versions.
HAProxy as the preferred Ingress Controller (since v44)
The current preferred Nginx Ingress Controller is being retired. Starting with PrivX v44, HAProxy becomes the preferred Ingress Controller.
In the future, we plan to move PrivX to the Kubernetes Gateway API instead.
Kyber KEX to be deprecated
The Kyber algorithm has been superseded by the NIST-standardized ML-KEM algorithm. For this reason, the KEX suite ecdh-nistp521-kyber1024-sha512@ssh.com may be removed from the default algorithms list in a future PrivX release. Users are encouraged to migrate to the mlkem1024nistp384-sha384 KEX suite. PrivX will continue to support ecdh-nistp521-kyber1024-sha512@ssh.com until further notice.
PostgreSQL 12 and 13 support to be deprecated
Support for end-of-life PostgreSQL versions 12 and 13 will no longer be maintained in PrivX versions released after 2026. If you run PrivX with any affected PostgreSQL version, start preparing for a database upgrade.
PrivX versions released in 2027 and later may continue to work with PostgreSQL 12 and 13. However, we will no longer provide fixes for breaking changes introduced to PostgreSQL 12 or 13.
New Features
- [PX-6645] Support direct traffic between PrivX microservices.
- [PX-8143] Ephemeral user directory for API client login via token exchange
- [PX-8576] Additional features for OIDC users, such as workflows and extra credentials
- [PX-4071] Delegate access control with access-group-specific roles
- [PX-8344] ICAP connections support TLS for malware scanning, with official support for Spectra.
Improvements
- [PX-8571] SSH MITM no longer audits TCP health-check errors when using Proxy Protocol.
- [PX-8564] The inactive-user housekeeping threshold is now configurable (previously fixed at 12 hours).
- [PX-8548] The post-installation script no longer prompts for PostgreSQL superuser credentials during version checks.
- [PX-8429] Extender v2 now opens a new SSH tunnel after the maximum channel count is reached.
- [PX-8397] Faster search on Monitoring → Connections.
- [PX-8281] SSH MITM connection metadata now shows PrivX SSH Bastion as the authentication method (instead of Unknown).
- [PX-8165] PrivX now attempts to use any available fallback credentials when establishing target connections.
- [PX-7155] Improved SSH Proxy logging.
Notable Documentation Changes
| Date | Description |
|---|---|
| 2026-06-15 | New configuration guide for bypassing Nginx to reduce socket usage and latency |
| 2026-06-15 | New guide for configuring PrivX Server's Nginx to prefer PQC algorithms. |
| 2026-06-15 | Updates across docs related to PrivX-Agent deprecation. |
| 2026-06-15 | New article about PrivX system hard limits and sizing guidelines. |
| 2026-06-15 | The PrivX LTS Introduction is updated with the current and upcoming LTS versions. |
Documentation is updated as needed and may change between releases.
Bug Fixes
- [PX-8559] Fixed an API Proxy endpoint parsing error for bracketless IPv6 addresses.
- [PX-8524] Fixed an issue where deleted roles accumulated over time could cause high memory use.
- [PX-8509] Fixed an issue where target-domain scans could become stuck.
- [PX-8426] Fixed an issue where
POST /authorizer/api/v1/ca/authorizereturned an incorrect client IP address in the OpenSSH certificate Key ID. - [PX-8421] The UI now shows an informative error message when trying to restart PrivX in maintenance mode.
- [PX-8411] Extender v2 connection audit events now correctly include the Extender IP address.
- [PX-8645] SSH-Bastion session recording now works when the Disable file transfer recording option is checked.
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS Red Hat AMI
- Workaround: To correct the SELinux context, copy
principals_command.shto the correct location:# scp -i key.pem principals_command.sh user@target:/tmp/# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct the SELinux context, copy
- [PX-1711] RDP fails to connect to the target in maintenance mode; support for the
/adminflag is needed. - [PX-1835] Extender, Carrier, and WebProxy configs are not migrated during upgrade
- [PX-1875] Web proxy login does not work if the login page sends requests to multiple domains.
- [PX-2947] No sound when viewing a recorded RDP MITM connection.
- [PX-3086] PrivX role mapping to AD OU does not work as expected.
- [PX-3529] The default access-group CA key is always copied to the host when running the deployment script through Extender.
- [PX-3655] RemoteApp cannot be restored after it is minimized.
- [PX-4218] RDP native clients do not work in a Kubernetes environment when running under a non-root account.
- [PX-4352] The UI shows a deleted local user after deletion.
- [PX-4616] An upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4662] Pasting large amounts of text in a Carrier or Proxy host fails (currently limited to 16 kB).
- [PX-4778] RDP Proxy: a file being scanned cannot be overwritten.
- [PX-4809] Empty files are created when ICAP detects malicious uploads with SCP through SSH Bastion.
- [PX-5558] PrivX does not support the password-change-required option for users in the passkey authentication flow.
- [PX-5587] Live playback of WEB connections no longer stays in live mode after the user closes the Carrier browser.
- [PX-8190] The backup/restore script does not restore the Nginx configuration.
- [PX-8191] Extender V2 (in normal mode) status is Unregistered even after successful registration.
- [PX-8594] Client-certificate authentication does not work in PrivX deployments on Kubernetes.
- [PX-8651] privx-extender-v2 with
-configdoesn't normalize configuration paths like extender v1.- Workaround: Provide the config-file name only, without the filepath or extensions.
Notable API Changes
- No backward-breaking API changes in this release.