Skip to main content

New Release Available: Release 2026.1

Connor Woolfolk
Community Manager

Hello from the Cerberus team!

We're pleased to announce our latest release: 2026.1 This latest release incorporates a number of critical fixes, changes, and additions.

Important update note: If you are on a Cerberus version older than 2025.4.0, you will need to update using the manual process described here in order to accept the EULA/MSA.

  • New Features
    • Cerberus has been upgraded to be compliant with FIPS 140-3 to future-proof your regulated environment and ensure seamless data protection. This change comes ahead of the September 2026 retirement of FIPS 140-2.
    • Added support for ETM (Encrypt-Then-MAC) algorithms (hmac-sha2-256-etm and hmac-sha2-512-etm) to SFTP, hardening the server against modern vulnerabilities like the recent Terrapin attacks
    • Banned usernames can no longer be requested as new native accounts.
    • CSV user import now acknowledges blank passwords and requires admin confirmation prior to importing these users.
    • HTTP/S listeners can now optionally remove the login prompt when SAML SSO is configured, streamlining authentication for SSO-only deployments. The login form is automatically displayed if SSO is unavailable to prevent user lockout.
    • Upgraded cURL to 8.18.0 to address several low CVEs
      (CVE-2025-15224, CVE-2025-15079, CVE-2025-14819, CVE-2025-14524, CVE-2025-10966)
      as well as medium CVEs (CVE-2025-14017, CVE-2025-13034).
    • Upgraded libssh2 to 1.11.1.
    • Upgraded log4cxx to 1.6.1.
  • Improvements
    • SSH/SFTP cipher, MAC, and key exchange algorithms are now displayed in order from most secure to least secure in the protocol security settings.
  • Fixes
    • Long filenames now wrap in the file browser, instead of being truncated, for better readability.
    • Server updates are no longer blocked when EULA changes are included; admin acceptance checkbox enables successful silent installations for all software and EULA updates.
    • SSO users may now be deleted from the cache. A new ability to remove all inactive users from provisioning has been added.
    • License expiration events now provide proactive alerts, allowing admins to configure automated email notifications up to one year in advance to prevent unexpected service interruptions.
    • Local privilege escalation (LPE) vulnerability where BUILTIN\Users had write access to the update installers directory.

 

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post