Version 2025.3.18.0 (April 1, 2026)

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version

FIXES

• SECURITY PAM - Fixed incorrect authorization on PAM endpoints that allowed low-privilege users to access PAM provider and checkout policy information
• SECURITY CVE-2026-4828 Core - Fixed a security issue where MFA check could be bypassed when Emergency Code authentication was disabled
• SECURITY CVE-2026-4924 Core - Fixed a security issue where MFA could be bypassed using an alternate authentication cookie
• SECURITY CVE-2026-4925 Core - Fixed an issue allowing users to remove their own MFA despite enforced restrictions
• SECURITY CVE-2026-4989 Core - Fixed an issue where the gateway health check could be exploited for server-side request forgery (SSRF)
• Core - Fixed performance issues with Conditional Access Policies enabled
• Core - Resolved SQL collation issues during database and web backups
• Core - Restored access to sensitive User Vault information by correcting permission handling
• PAM - Fixed OTP prompt appearing for brokering-only PAM accounts
• Web - Fixed an error when saving user vault entries for accounts without a user vault
• Web - Fixed the credit card edit component missing a reveal sensitive data button
• Web - Restored ability to send Secure Messages with attachments

** CONSOLE RELEASE NOTES **

IMPROVEMENTS

• Minor updates