June
NG Production Release Update - APIsec_cloud_7.6.1.0 (Jun 03, 2026)
This release focuses on improving API onboarding, compliance reporting, and automation. Key highlights include Postman Environments, MITM Proxy onboarding, ISO 27001 and PCI DSS 4.0 reports, short-lived OAuth credentials for CI/CD integrations, and usability improvements across vulnerability investigation, parameter discovery, and hosted agent management.
What's New
Expanded Visibility for Informational Detections
Informational findings are now tracked separately from vulnerabilities while supporting the same triage workflows, including ticket creation, False Positive, and Risk Accepted actions.
Why this matters
- Improves visibility into security observations beyond direct vulnerabilities
- Provides richer context in Pentest Reports
MITM Proxy Application Onboarding
Applications can now be onboarded using MITM proxy capture files (.mitm and .flows ). APIsec automatically extracts endpoints and generates an OpenAPI Specification (OAS).
Why this matters
- Simplifies the onboarding of undocumented APIs
- Expands support for traffic-capture-based API discovery
Compliance Reports — ISO 27001 & PCI DSS 4.0
Customer-downloadable compliance reports for ISO 27001 and PCI DSS 4.0 are now available under Application → Reports.
Why this matters
- Simplifies audit preparation and evidence collection
- Provides standardized compliance reporting
API Credentials — Short-Lived OAuth Tokens
You can now create API Clients that issue short-lived OAuth 2.0 access tokens for CI/CD pipelines and integrations, eliminating the need for long-lived credentials.
Why this matters
- Improves security for automation workflows
- Provides finer-grained access control for integrations
Postman Environment Support
You can now attach Postman Environment files to Postman-based applications to automatically resolve {{variable}} placeholders during reloading a spec.
Why this matters
- Improves scan accuracy by resolving environment-specific values
Originating Scan Context for Vulnerabilities
Vulnerabilities now include an Originating Scan link that takes you directly to the scan where the finding was first detected, with evidence pre-expanded.
Why this matters
- Simplifies investigation and validation
- Preserves historical detection context across rescans
Parameter Hydration — Improved Discovery Experience
Parameter discovery is now organized by endpoint, with inline editing, confidence indicators, and clearer progress tracking based on endpoint coverage.
Why this matters
- Improves usability for large APIs
- Makes parameter validation and discovery easier to manage
Improvements
OAuth2 Response Key Support
OAuth2 authentication profiles now support configurable response keys, enabling token extraction from custom fields, such as
id_token, or from nested response structures.Applications without a configured response key continue using access_token by default.
Why this matters
- Supports a broader range of OAuth implementations
- Simplifies integration with custom identity providers
- Reduces authentication configuration workarounds
Improved Hosted Agent Reliability
Hosted-agent scans now use extended polling timeouts, reducing premature timeouts during large scans and in slower environments.
Agent-side failures that were previously difficult to diagnose are now surfaced directly within scan details.
Why this matters
- Improves scan reliability for large applications
- Reduces false scan-stuck scenarios
- Provides clearer troubleshooting information when failures occur
Explicit Hosted Agent Assignment for New Instances
New application instances no longer automatically inherit a hosted agent assignment. Users can now explicitly choose whether to associate a hosted agent or use cloud-based scan execution. Existing instances are unaffected.
Why this matters
- Prevents unintended hosted agent assignments
- Improves transparency during instance creation
Aborted Scans Show the Correct Status
Hosted-agent scans that are intentionally stopped now display an Aborted status instead of remaining Active.
Why this matters
- Improves scan status accuracy
- Makes it easier to distinguish user-aborted scans from failed executions
- Provides clearer operational visibility
Security Improvements
Private Hosted Agent Security Updates
The Private Hosted Agent image has been updated with the latest dependency and security updates.
Why this matters
- Keeps hosted agent deployments aligned with the latest security updates
- Improves the overall security posture of self-managed scan environments
Issue Fixes
Personal Access Token Error Handling
Issue: Malformed Personal Access Tokens (PATs) could return a generic 500 Internal Server Error when accessing platform APIs.
Fix: Authentication failures now return clear 401 Unauthorized responses with actionable error details.
Impact
- Simplifies troubleshooting for API integrations
- Provides clearer authentication failure feedback
Parameter Discovery Status Accuracy
Issue: The AppModel dashboard could show Review Discovered Parameters as In Progress even when no user had reviewed or updated any parameters.
Fix: The workflow now moves to In Progress only after a user modifies a discovered parameter.
Impact
- Progress indicators now reflect actual user activity
- Reduces confusion during parameter review workflows
Auth Test Results Endpoint Loading
Issue: The endpoint selector in Auth Test Results intermittently displays No Data.
Fix: Improved endpoint retrieval reliability for large applications.
Impact
- Improves the stability of Auth Test Results workflows
- Reduces intermittent endpoint loading failures
Vulnerability Scorecard Counts
Issue: Instance-level Critical and High vulnerability counts included findings marked as False Positive or Risk Accepted, inflating the totals.
Fix: Scorecards now count only active findings, matching the displayed tooltip and application-level reporting.
Impact
- Provides more accurate vulnerability counts
- Aligns scorecards with triage workflows and reporting
MySQL Injection Category Display
Issue: MySQL Injection scans are displayed as SQL Injection in scan progress and results, and could execute twice during certain batch scans.
Fix: MySQL Injection now runs and is displayed as a dedicated category across the platform.
Impact
- Improves scan visibility and reporting accuracy
- Eliminates duplicate execution during batch scans
Postman Reload Error Messaging
Issue: Postman spec reload failures caused by an invalid Collection ID or API Key displayed a generic error message.
Fix: Error messages now identify which credential is invalid.
Impact
- Simplifies troubleshooting of Postman reload failures
- Helps users resolve configuration issues more quickly