TroutTrout
All docs

v26.3.1 Release Notes

New capabilities in v26.3.1: Guacamole remote access, PKI bootstrap without pre-existing CA, custom session expiration, vnet labels, DHCP in asset inventory, and an expanded emergency console. Plus a broad batch of stability and UI fixes.

6 min read · Last updated 2026-04-22

v26.3.1 lands new capabilities around remote access, identity, and classification, plus a large batch of stability fixes across enclaves, overlay networking, and access screens.

Highlights

Remote access via Guacamole

Access Gate now ships with an integrated Guacamole-based remote access layer, giving operators browser-based RDP and VNC access to protected assets without requiring a client install or an additional jump host. Sessions inherit the same identity, authorization, and audit rules as every other Access Gate session.

TLS bootstrap without pre-existing PKI

The pki service can now create and manage a self-signed root CA covering every vnet domain the appliance owns. This removes the chicken-and-egg problem of needing TLS (for access screens, encrypted overlays, admin UI) before a customer PKI exists. The root CA key is password-protected; the administrator enters the password after a system reboot — the password is never stored on disk.

Customers with an existing PKI can continue to use it. The bootstrap CA is an option, not a replacement.

Custom session expiration

Admin and access-screen sessions now have their own configurable lifetime, decoupled from the OIDC provider's token lifetime. This matters when the identity provider's session policy is either too permissive or not granular enough (e.g. Entra ID fixed-duration sessions). OAuth tokens are still used for the OIDC handshake, but the Access Gate session lifetime is set locally.

Vnet classification and labels

Networks can now be tagged with a type (VPN, IT, OT, Guest, Vendor, Public) and an implementation mode (Twin or Direct). Additional fields capture the Purdue classification and the impact level in case of attack. These labels feed policy, dashboards, and compliance reporting.

DHCP protocol support in asset inventory

Assets can now be discovered and tracked via DHCP traffic in addition to the existing passive-observation channels. This closes a gap for environments where DHCP is the primary source of ground-truth on endpoint IPs.

Expanded serial emergency console

The emergency console exposed over serial (and now over SSH) is replaced with a narrower, purpose-built command set covering IP configuration, system reboot/shutdown, service status checks, backup restore, admin-interface certificate reset, and log export to USB or nc. The previous unrestricted BusyBox shell is gone — the emergency surface is now bounded to exactly what recovery requires.

URL classifier model (preview)

A new classifier model is available for detecting obfuscated HTTP data exfiltration by pattern-matching request URLs. Trained on the structural differences between legitimate HTTP traffic and info-stealer payloads. Delivered as an optional visibility module.

Identity and cybersecurity hardening

Users now carry an explicit list of AssignedAssets — personal assets no other user can claim. This replaces the prior free-form IP list on the user profile, closes an ACL-bypass edge case, and makes user-to-asset mapping auditable.

Feature additions

  • ACL table search — search the ACL table by user, asset, or rule text.
  • Filtering and searching over large enclave sets — search bar and filters on the enclave page now operate on large entity counts without stalling.
  • Collections screen pivots to security events — the collections/rules screen is reoriented around monitoring security events directly rather than transforming syslog; default rules ship with the product.
  • Redirect to menu after saving an access screen — saving an access screen returns the operator to the access-screen menu instead of leaving them on a stale detail view.
  • Access Screen permission updates recorded in enclave history — changes to access-screen permissions now appear in the enclave's audit trail.
  • Multiselect dropdown component — reusable multiselect widget across several admin surfaces.
  • Toggle button widgets — standardized toggle widget.
  • Admin command to delete certificates — administrators can remove certificates from the CLI.
  • Custom session expiration timeout — see Highlights.
  • Vnet labels and impact fields — see Highlights.

Bug fixes

Stability, UI, and correctness fixes across the platform:

Access Screens

  • Line breaks in access-screen content now carry over to the splash page.
  • Enclave tag no longer duplicated in the access screen header.
  • Password fields are masked by default.
  • Access screen deletion works reliably.
  • Text editor responds correctly during editing.
  • Server no longer crashes when an access screen is triggered under specific conditions.
  • Logo, text, and button alignment stabilized.

Enclaves

  • Security level field shows the correct value after asset edit (no more "Invalid Security Level").
  • Asset-modified audit entries no longer stuck in pending.
  • Access-screen permission updates captured in enclave history.
  • Adding M365 groups to an enclave succeeds without requiring a page reload.
  • Permission matrix shows the full set of options.
  • Asset search preserves the previous selection.
  • ACL table no longer reports phantom changes on open.

Overlay networking

  • Overlapping vnets no longer crash the UI.
  • Invalid vnet configurations are rejected cleanly instead of crashing the server.
  • Virtual IP block UI validates network addresses.
  • Pings originating on the overlay interface leave via the same input interface.
  • Translations in CDNS corrected.
  • Admin interface restart behaves correctly.
  • Repetitive spam log message suppressed.

Platform / CyberOS

  • VNETs load correctly from the database at startup.
  • confctl now NATs every vnet (previously only the first).
  • Empty interface configuration no longer crashes the system.
  • System backup creation fixed.
  • Sniffing-port mode correctly starts the NetFlow collector.
  • Invalid certificate domain handled.
  • Assigning the same asset multiple times to a user is prevented.
  • Adding an admin user with a role succeeds.

Visibility

  • Plugin load ordering corrected.
  • NetFlow decoder no longer crashes on malformed data.

Compliance

  • IP cleanup now completes on the 24-hour schedule.
  • Forwarder handles unknown-app requests without crashing.
  • Snort starts correctly when the CIP module is configured as a protocol.

Upgrade notes

  • The pki bootstrap CA is opt-in; existing deployments with a customer PKI are unaffected.
  • Session expiration defaults are preserved on upgrade; configure new values under admin settings only if the new decoupled lifetime is required.
  • Emergency console command set has changed — review any scripts or runbooks that assumed the previous BusyBox surface.
  • The collections screen has been reoriented; customer-authored rules continue to work, but the primary navigation has shifted toward security-event monitoring.
Previous
Quick start
Next
Architecture Overview