Manager

Removed

• Removed unused SSL/TLS transport option from cluster. (#35648)

Fixed

• Improved message decompression handling in remoted. (#35773)
• Improved agent name validation to reject names starting with dot. (#35833)
• Fixed segfault in vulnerability scanner module shutdown when disabled. (#36011)
• Fixed string buffer handling in version comparison function. (#36059)
• Improved cluster file synchronization security. (#36060)
• Improved cluster file synchronization error handling on invalid task identifiers. (#36129)
• Improved cluster merged file parameter validation to prevent directory escape. (#36204)
• Improved tmp_file path validation in cluster DAPI. (#36246)
• Improved cluster non-merged file path validation during worker file processing. (#36296)
• Improved cluster node name format validation in the hello handler. (#36460)
• Fixed missing agent.host.ip in inventory documents when agent IP is empty. (#35475)
• Fixed stale agent synced status after hot reload on cluster worker nodes. (#6726)

Agent

Fixed

• Fixed agent registration not running on reinstall after apt-get remove. (#35727)
• Fixed MS-Graph integration handling for relationships containing /. (#35431)
• Fixed macOS syscollector to skip package receipts whose payload is no longer installed. (#35380)
• Fixed missing eBPF create, modify and delete events on Ubuntu 24/26 and improved FIM whodata healthcheck. (#35838)
• Hardened FIM database path lookups by migrating to parameterized SQL queries. (#36399)

RESTful API

Fixed

• Escaped control characters in API usernames in access logs. (#35866)
• Added input validation in cluster result handling and authentication. (#35757)
• Fixed current user resolution in the update-user endpoint to enforce admin protection. (#35442)

Ruleset

Fixed

• Updated rootcheck trojan signatures to avoid false positives on modern distributions (Debian 13, Ubuntu 26, Arch Linux). (#35927)

Other

Changed

• Updated cryptography, urllib3 and python-multipart Python dependencies. (#35982)
• Updated eBPF libraries: libbpf to 1.7.0 and bpftool to 7.7.0. (#36467)

What's Changed

• Coding style clang format by @jotacarma90 in #35051
• Dovecot decoders don't match correctly by @hossam1522 in #35089
• Fixing CIS 35675 and 35689 rules bug by @hossam1522 in #35088
• Improve buffer handling in regex match processing by @vikman90 in #35106
• Fix empty-message failure in Windows enrollment integration test by @hernanvalenzuela in #35078
• Use daily marker for GuardDuty log collector by @anromerom in #35110
• Fix rate limit handling for /events endpoint by @javiersanchz in #35077
• Upload Size Limit Config Mismatch - Implementation by @jnasselle in #35141
• Update embedded Python and dependencies by @javiersanchz in #35135
• Escape document id in delete bulk operations by @ignaciogalle12git in #35174
• Add length validation after decompression in ReadSecMSG by @MiguelazoDS in #35193
• Fix uncontroller memory allocation in cluster by @FrancoRivero2025 in #35173
• Limit nested JSON depth in API requests - Implementation by @jnasselle in #35224
• Fix clang-format version resolution in CI by @jotacarma90 in #35180
• Align plugin decoder arguments with existing call path by @matigarciadev in #35176
• Add groups path validation by @TomasTurina in #35230
• Fix audit log cache overflow for events with many records by @vikman90 in #35285
• Update dependencies: cryptography, requests by @javiersanchz in #35331
• Fix memory allocation for long registry paths in syscheck by @Darioortegaleyva in #35287
• Fix for rootcheck not generating findings by @jpcerrone in #35297
• Bump 4.14.6 branch by @wazuhci in #35379
• Fix coverity findings in group validation paths by @TomasTurina in #35384
• Fix active config endpoint and Integration tests by @FrancoRivero2025 in #35412
• Server integration tests flaky test by @Antoniogm03 in #35353
• Skip macOS receipts that are no longer installed by @anromerom in #35380
• Revert tag references to main after v5.0.0-beta1 by @jotacarma90 in #35447
• Improve the code to hide information when a user doesn't have permission by @FrancoRivero2025 in #35307
• Validate current user in update-user endpoint by @vikman90 in #35442
• Complete wazuh server requirements docs by @TomasTurina in #35459
• Optimize error handling geoip locator by @LucioDonda in #35187
• wazuh-engine: /logtest endpoint cleanup temporary fields by @matigarciadev in #35420
• Add fast metrics module by @NahuFigueroa97 in #35142
• Bump 4.14.5 branch by @wazuhci in #35465
• Update changelog for v4.14.5-rc1 by @jotacarma90 in #35467
• Fix guardduty.py size in check files by @MarcelKemp in #35472
• Update uninstall procedure for Windows. by @rjcausarano in #35451
• Ms-graph - handle relationships that contain '/' by @jpcerrone in #35431
• Validate IP address format in host_ip field for Windows by @cborla in #35418
• Avoid using keyentries counter as index by @MiguelazoDS in #35456
• Linux test integration workflow improvements by @rovogel in #35060
• Enhancement/35084 improve it mac os by @rovogel in #35289
• Resume modules before manager sync to reduce coordination pause window by @lchico in #35357
• Check first scan termination before sync start by @anromerom in #35455
• Remove dead python code by @TomasTurina in #35533
• Include source IP in wazuh-remoted log messages by @20syldev in #35358
• Feed update re-scan revision by @ignaciogalle12git in #35271
• Backport: Fix FIM flaky integration tests by @Nicogp in #35535
• Migrate CM store-crud resources to native JSON flow by @jam300 in #35172
• wazuh-engine: Engine rename archiver module to event dumper by @matigarciadev in #35477
• Update inventory sync documentation by @TomasTurina in #35587
• Fix workflow input name: set-as-main → set_as_main in bumper workflow by @jotacarma90 in #35592
• Remove leftover code from deprecated Agent 0 by @fcontrerasc in #35195
• Synchronize Syscollector and VD queue databases during the flush process by @rjcausarano in #35518
• Add manager architecture documentation by @TomasTurina in #35607
• Early populate metadata after handshake by @fcontrerasc in #35387
• Fix script injection vulnerabilities in CI workflows by @jpcerrone in #35480
• (4x) Fix script injection vulnerabilities in CI workflows by @jpcerrone in #35598
• Update manager index names to sync by @juliancnn in #35527
• Suppress unexpected stateless events after SCA initial scan by @jr0me in #35432
• Dynamic getWazuhHome by @jepalfer in #35232
• Improve fast metrics interface managment and test by @NahuFigueroa97 in #35540
• Engine - Add Filter Sync by @NahuFigueroa97 in #35613
• Persist VD first-sync state in table_metadata by @anromerom in #35590
• Merge branch '4.14.5' into '4.14.6' by @jotacarma90 in #35655
• Normalize stateless check fields by @AnDumu in #35404
• Fix token validation race condition after revoke by @javiersanchz in #35218
• unify sandbox and trace into a single static parameter in policy creation by @LucioDonda in #35541
• Flush feed RocksDB memtable before marking feed ready on download completion by @Nicogp in #35639
• Remove unused SSL/TLS transport option from cluster by @vikman90 in #35648
• Fix WUA hotfix collection regression in Windows Agent v5.0.0 by @nbertoldo in #35662
• Handle stop signal during vulnerability feed download by @fcontrerasc in #35657
• Bump main branch by @wazuhci in #35699
• Revert "Merge pull request #35699 from wazuh/enhancement/wqa35624-bum… by @TomasTurina in #35700
• Emit WCS-aligned JSON for agent-start and buffer-status events by @lchico in #35671
• Support revert bump by @TomasTurina in #35660
• wazuh-engine: add retention policies for streamlog module by @matigarciadev in #35565
• Support revert bump by @jotacarma90 in #35714
• Merge 4.14.6 into main by @TomasTurina in #35705
• Fix rootcheck and security API IT by @TomasTurina in #35722
• Improve Active Response Custom Script Documentation by @nbertoldo in #35723
• Update GDPR control mappings in SCA rulesets by @Johnng007 in #35711
• Fix flaky API IT by @TomasTurina in #35724
• Fix agents API IT by @TomasTurina in #35746
• wazuh-engine: Improve graceful shutdown (fast shudown) by @juliancnn in #35585
• Remove legacy unclassified category by @jam300 in #35542
• Fix SCA YAML size drift + missing workflow path triggers by @jr0me in #35748
• Add cluster validations by @TomasTurina in #35757
• Prevent agent.host.ip from being silently dropped when agent IP is empty by @jotacarma90 in #35475
• Apply register_configure_agent.sh on reinstall after apt-get remove by @Miguevrgo in #35727
• Directory layout improvement by @jepalfer in #35622
• Improve message handling robustness in wazuh-remoted by @vikman90 in #35773
• Fix stale generated headers after clean by @jr0me in #35777
• Fix agent 5x sends trailing null byte 0 in messages by @jr0me in #35658
• Impro...

Manager

Fixed

• Fixed DAPI callable resolution to restrict invocations to exposed resources only. (#34889)
• Fixed uncontrolled memory allocation in cluster caused by crafted packet length. (#35173) (#35412)
• Fixed rate limit bypass for the /events endpoint. (#35077)
• Fixed buffer overflow in analysisd regex match processing. (#35106)
• Fixed path traversal in authd via agent group name validation. (#35230)
• Fixed size_t underflow in remoted ReadSecMSG causing potential heap overflow. (#35193)
• Fixed RBAC bypass in DAPI allowing privilege escalation. (#35307)
• Fixed analysisd plugin decoder argument alignment. (#35176)

Agent

Fixed

• Fixed rootcheck false positive for /dev/.blkid.tab. (#34734)
• Fixed ORDER_REVERSAL deadlocks in FIM. (#34735)
• Fixed Roundcube decoder regex to prevent srcip truncation in "Failed login ... in session" logs. (#34793)
• Fixed macOS Ventura SCA policy incorrectly passing pmset checks. (#34693)
• Fixed Office365 integration pagination by trimming HTTP header values. (#34673)
• Fixed FIM false positives caused by double readdir check. (#34880)
• Fixed audit log cache overflow for events with many records in logcollector. (#35285)
• Fixed daily marker for GuardDuty log collector. (#35110)
• Fixed rootcheck not generating findings. (#35297)
• Fixed heap buffer overflow in syscheck Registry Wildcard Expansion. (#35287)

Changed

• Changed RHEL init script with SUSE variant on SLES 11. (#34563)
• Changed service check from WMI to sc.exe. (#34543)
• Changed windows syscollector to include command arguments. (#34727)

RESTful API

Fixed

• Fixed allow_higher_versions validation in API upload_configuration. (#34905)
• Fixed nested JSON depth limit in API request processing. (#35224)
• Fixed upload size limit config mismatch. (#35141)

Ruleset

Fixed

• Fixed bug in CIS SCA checks 35675 and 35689 for Ubuntu 24.04. (#35088)
• Fixed Dovecot decoders to correctly extract rip and lip fields. (#35089)

Other

Changed

• Updated dependencies cryptography to 46.0.5, Werkzeug to 3.1.6, pip to 26.0.1 and wheel to 0.46.3. (#34907)
• Updated embedded Python to 3.10.20 and dependencies pyjwt, pyasn1. (#35135)
• Updated dependencies cryptography, requests. (#35331)

Manager

Added

• Added cluster-by-default deployment model: all Wazuh Server installations now run as a cluster node, removing the distinction between clustered and non-clustered deployments. The cluster.disabled configuration option has been removed. (#31295)
• Added stateless metadata enrichment in remoted, centralizing event metadata handling for stateless messages and removing the dependency on wazuh-db for that ingestion path. (#33269)
• Added Engine enrichment support: IOC matching, GeoIP lookup, and event filters. (#33493)
• Added Engine adaptation tier 2: raw archives handling, uncategorized event routing, input-level throttling, and internal metrics exposure. (#34477)
• Added Wazuh Instance Registration status to reflect CTI access_token availability (Pending, Polling, Denied, Available), allowing the Dashboard to query the subscription state. (#31906)

Changed

• Upgraded embedded Python interpreter from 3.10 to 3.12. (#33377) (#33570)
• Adapted Vulnerability Detector input pipeline to the new Wazuh 5.0 synchronization algorithm, covering first-scan, inventory-change, and feed-update scenarios. (#30535)
• Revamped Role-Based Access Control (RBAC) management and introduced an upgrade mechanism for existing RBAC configurations. (#27706)
• Removed legacy configuration surfaces, database schemas, build targets, and compatibility layers in the second server cleanup phase. (#34608)

Removed

• Removed Filebeat as the log-shipping component; event forwarding now uses native Wazuh server connectivity to the Wazuh Indexer via indexer-connector. (#33124)
• Removed deprecated manager daemons: ossec-authd, wazuh-agentlessd, wazuh-maild, wazuh-dbd. (#30922)
• Removed deprecated C CLI tools: manage_agents, agent-auth. (#30924)
• Removed OpenSCAP server-side module. (#31028)
• Removed inventory-related API endpoints. (#31299)
• Removed legacy API security configuration endpoints. (#28425)

Fixed

• Fixed Vulnerability Detector version matcher logic for improved detection accuracy. (#31746)
• Fixed Cloudtrail log ingestion parsing errors. (#33108)

Agent

Added

• Added local state persistence for agent modules (FIM, System Inventory, SCA), removing the dependency on rsync with the Wazuh Server and reducing network traffic and server-side processing overhead. (#29533) (#31838)

Changed

• Changed the Wazuh Manager installation path to /var/wazuh-manager (replacing /var/ossec) and removed agent ID 000, fully decoupling agent and manager processes on shared hosts. (#33378)
• Changed Vulnerability Detection to use the Wazuh Indexer as the sole authoritative CVE data source, removing direct CTI network access from the agent-side Vulnerability Detector. (#34849)
• Adjusted agent-side Vulnerability Detector inventory emission and synchronization (OS, packages, hotfixes) to align with the updated VD behavior in Wazuh 5.0. (#33199)
• Simplified rootcheck: removed the server-side database, sync path, and API surface; findings are now indexed through the standard alert pipeline. (#31478)
• Updated logcollector file-tailing initial read strategy for more consistent behavior across log rotation scenarios. (#33382)
• Updated Windows Event Channel log collection to emit native XML from EvtRender() without an XML declaration header. (#34462)
• Increased default limits for agent event throughput and inventory message sizes. (#35330)

Removed

• Removed deprecated agent binaries and legacy modules as part of the Wazuh 5.0 agent cleanup. (#30435)
• Removed NSIS-based Windows agent installer; Windows agent now ships exclusively as an MSI package. (#31582)

Fixed

• Fixed FIM checksum calculation that was incorrectly ignoring some file fields. (#29668)
• Fixed syscollector reporting duplicate and bogus packages on macOS arm64. (#30513)
• Fixed agent_control not displaying agent status information. (#32915)
• Fixed SCA handling of invalid operators and missing values in regex patterns. (#35071)
• Fixed agent modules initializing before agent metadata was fully ready. (#35156)
• Fixed FIM inventory reporting file modification time as 1970-01-01. (#35162)
• Fixed agent automatic reload failing after receiving centralized configuration. (#35169)
• Fixed syscollector false positive package detection on macOS. (#35248)

Manager

Fixed

• Fixed heap-based null WRITE Buffer Underflows. (34658)

Agent

Fixed

• Fixed MS Graph default rules not triggering properly. (#34240)
• Unified date formats in Active Response logs to ensure consistent timestamp formatting. (#34473)
• Updated Docker integration rules to improve detection coverage and compatibility. (#34376)
• Fixed heap-based NULL write buffer underflow in GetAlertData. (#34501)
• Retained MSI installer log after Windows agent upgrade to improve troubleshooting visibility. (#34517)
• Fixed incorrect Windows 11 edition detection after upgrading the agent to version 4.14.3. (#34530)
• Fixed macOS agent crash during syscollector reload caused by invalid pthread_cond_destroy() usage. (#34274)
• Fixed Windows OS edition detection. (34540)
• Fix pthread_mutex_destroy invalid argument error on AIX in syscollector. (#34900)

Changed

• Changed msi_output extension from txt to log. (34541)
• Changed to unsigned char in print_hex_string. (34602)
• Changed sync primitive disposal to stop and soften teardown failures. (34552)

RESTful API

Fixed

• Fixed timestamps in the /agents/upgrade_result endpoint to return accurate UTC time. (#34176)
• Improved cluster file synchronization path handling by adding safe path joins. (#34464)
• Fixed API login race condition- (34459)

Other

Changed

• Updated the azure-core dependency to 1.38.0 and the Werkzeug dependency to 3.1.5. (#34154)
• Updated the protobuf dependency to 5.29.6 and the python-multipart dependency to 0.0.22. (#34403)

Manager

Fixed

• Scaped document ID when necessary before sending document to indexer. (#33464)
• Extended timestamp conversion helpers to support additional input formats and normalize ISO8601 strings. (#33551)
• Restricted cluster file transfer write paths. (#33705)
• Hardened cluster deserialization by restricting callable decoding to Wazuh modules and improving error handling. (#33910)
• Added query size checks for syscollector delta sync SQL generation to prevent buffer overflows. (#33803)
• Replaced unsafe sprintf calls in the SCA decoder to prevent buffer overflows. (#33756)
• Fixed a memory leak in the CIS-CAT decoder when database operations fail. (#33739)
• Fixed ruleset hot reload on workers by awaiting send_reload_ruleset_msg. (#34184)

Agent

Added

• Added hostname and architecture metadata to Windows keep-alive messages. (#33831)

Fixed

• Fixed UTF-16 casting when updating report_changes. (#33495)
• Improved Active Response key handling in wazuh-execd. (#33665)
• Added bounds checking to Logcollector max-size configuration serialization. (#33704)
• Hardened Logcollector multiline backup handling to use full-buffer copies. (#33926)
• Fixed label formatting edge cases in keep-alive notify messages. (#33708)
• Fixed a false positive in vulnerability detection for Oracle Linux 8. (#33583)
• Extended Windows network path restrictions to block extended-length UNC paths. (#34115)
• Fixed crash in network path detection on Windows. (#34162)
• Fixed Agent reload failure on Linux systems with systemd version 219 or lower. (#34064)

RESTful API

Changed

• Improved authentication performance by caching generated keypairs and clearing the cache when key files change. (#33702)

Fixed

• Improved configuration upload validation by parsing and comparing Wazuh XML configurations more reliably. (#33683)
• Fixed protected settings checks when multiple <ossec_config> blocks are present. (#33807)

Ruleset

Added

• Added a CIS SCA policy for macOS 26 Tahoe. (#33492)

Fixed

• Fixed SCA policy execution on Windows Server 2019 by using the correct PowerShell path. (#34141)

Other

Changed

• Updated the werkzeug dependency to 3.1.4. (#33569)
• Updated the urllib3 dependency to 2.6.3. (#33927)

Manager

Fixed

• Prevented Azure Log Analytics bookmarks from being overwritten across similar configurations. (#33046)
• Fixed discrepancy in the API certificate files. (#33330)
• Made analysisd ruleset reload endpoints fully asynchronous to avoid blocking the API event loop. (#33589)
• Improved analysisd ruleset hot reload performance. (#33580)
• Avoided using systemctl in restart scripts when systemd is not running as PID 1. (#33602)

Agent

Added

• Added detection of the -a never,task Audit rule in FIM whodata for Linux. (#33313)

Fixed

• Fixed Windows agent remote upgrade (WPK) when installed in a custom directory. (#33171)
• Fixed a package issue causing upgrades to fail when the shared directory contained subdirectories. (#33182)
• Fixed FIM issue preventing whodata from working on systems with /var and /etc mounted on different volumes. (#33270)
• Optimized user and group inventory performance in Syscollector on Windows Domain Controllers. (#33322)
• Fixed an agent bug that prevented directories from being received in the remote configuration. (#33227)
• Silenced agent log message about failing to connect to Active Response when it is disabled. (#33343)

Ruleset

Added

• Added SCA Policy for Microsoft Windows Server 2025. (#32856)

Changed

• Fixed bug in multiple macOS SCA checks. (#33202)

Fixed

• Fixed indentation issue in the SCA policy for Windows 10 Enterprise that prevented its execution. (#33361)

Other

Changed

• Upgraded the starlette dependency to 0.49.1. (#33069)

Manager

Added

• Added IAM role support for VPC flow logs in the AWS wodle. (#32009)
• Added support for static and temporary AWS credentials in the Amazon Security Lake subscriber. (#32514)

Changed

• Optimized wazuh-db startup by executing agent schema creation in a single transaction. (#32401)
• Improved vulnerabilities index upgrade with hash-based mapping validation, automatic safe reindex, and backup cleanup. (#32463)
• Improved C++ logging mechanism to avoid unnecessary heap allocations. (#32069)
• Improved IndexerConnector error handling and response parsing to provide structured logging of 4xx/5xx errors. (#32521)
• Reduced default verbosity of wazuh-authd when handling invalid connections. (#32525)
• Remoted now reads internal options at process startup. (#32697)

Fixed

• Fixed manager vulnerability scan not triggering due to incorrect syscollector event provider topic name. (#32045)
• Fixed IndexerConnector abuse control to prevent data loss on failed syncs. (#32787)
• Fixed user tag handling by adding 'user' as an alias for the 'dstuser' static field. (#32107)
• Fixed JSON validation issues in Analysisd and SCA components. (#32057)
• Fixed a bug in Vulnerability Scanner where the DB offset was updated even in error cases. (#32829)

Agent

Added

• Added support for Homebrew 2.0+ in IT Hygiene for macOS. (#32746)

Changed

• Changed how the fim_check_ignore function works in case of negative regex cases. (#31080)
• Changed how null values for hotfixes are handled in the Windows agent. (#31375)
• Improved service shutdown procedure. (#32874)

Fixed

• Fixed indefinite waiting in FIM whodata health check. (#32383)
• Fixed graceful shutdown in FIM. (#31241)
• SHA256 of commands is now verified on every execution. (#32049)
• Fixed duplicate <ca_store> configuration block during RPM package upgrades. (#32528)
• Fixed a bug that prevented overwriting <registry_limit> or <file_limit> options from remote configuration. (#31144)
• Fixed a bug in Logcollector that prevented following symlinks when resolving wildcarded files. (#29853)
• Unified detection logs for wildcarded files in Logcollector. (#31222)
• Fixed a bug in FIM that did not recognize Registry keys unless they were UTF-8. (#32027)
• Fixed a bug in Logcollector that ignored all files with <age> filter on Windows. (#32731)
• Reverted IT Hygiene package vendor format on Debian: now includes name and email again. (#32812)
• Fixed a bug in IT Hygiene that reported duplicated Edge browser extensions. (#32785)
• Fixed reload of the <labels> block via remote configuration. (#32838)
• Fixed Windows installer to deploy SCA policies for Windows 2022 instead of Windows Server 2025. (#32836)

Ruleset

Changed

• Reworked SCA Policy for Microsoft Windows 10 Enterprise. (#31449)
• Fixed bug in Windows SCA. (#31349)
• Fixed mistaken alert due to expected regex. (#31102)
• Fixed SCA checks in Oracle Linux 9. (#31886)
• Fixed bugs in Windows Server 2016 SCA. (#32509)
• Fixed bugs in PAM decoder. (#32523)
• Fixed MacOS Sequoia SCA scans with errors. (#32480)
• Windows Server 2016 SCA policy not configured correctly. (#32802)

Other

Changed

• Upgraded the starlette dependency to 0.47.2. (#31422)
• Upgraded Python embedded interpreter to 3.10.19. (#32782)
• Updated curl dependency to 8.12.1. (#32900)
• Updated LUA to version 5.4.6. (#32294)
• Updated libarchive to version 3.8.0. (#32294)

Manager

Added

• Added system users and groups to the inventory data. (#30848)
• Added browser extensions and services to the inventory data. (#31614)
• Added IPv6 support to Maltiverse integration. (#31731)

Fixed

• Fixed internal decoder RC startup. (#29663)
• Fixed queue stats RC over wazuh-analysisd. (#29673)
• Fixed race condition in the event queue. (#29672)
• Fixed regexCompile race condition. (#29699)
• Fixed malformed alerts in alerts.log when <group> contains newline characters. (#30653)
• Fixed and improved dpkg version comparison algorithm in Vulnerability Detector. (#31599)

Changed

• Improved databaseFeedManagerTesttool. (#30192)
• Adapted wazuh-maild to RFC5322 standard. (#30793)
• Enhanced the active response endpoint performance. (#31218)

Agent

Added

• Added support for parquet version 2 in AWS Wodle. (#30235)
• Added capability to do a hot configuration reload in Linux agents. (#30797)
• Added support for Amazon Inspector v2. (#31163)
• Added system users and groups to the inventory data. (#30369)
• Added browser extensions to the inventory data. (#805)
• Added services to the inventory data. (#807)
• Added missing AWS regions us-gov-west-1 and us-gov-east-1 to AWS wodle. (#31418)
• Included Windows kernel version information to IT Hygiene. (#32413)

Fixed

• Fixed errors with Azure Graph event fields. (#30831)
• Added the missing "provider" field to the whodata section in syscheckd JSON configuration. (#30877)
• Fixed journald disabled filters when both blocks have no filters. (#31700)
• Fixed whodata FIM compatibility with latest audit versions. (#30215)
• Fixed mismatch between MTU values in database and indexer for Windows agents. (#31875)

Changed

• Improved rootkit error messages to warnings due to future deprecation. (#31640)

RESTful API

Added

• Added syscollector users and groups endpoints. (#30913)
• Added syscollector services and browser_extension endpoints. (#31513)

Fixed

• Fixed secure headers. (#31046)
• Fixed the display of sensitive information for non-privileged users. (#31315)

Ruleset

Added

• Added SCA content for Rocky Linux 10. (#30745)
• Added SCA content for Debian 13. (#31747)

Fixed

• Fixed multiple Rocky Linux SCA checks generating incorrect results. (#29976)
• Fixed missing Check (2.3.7.6) in Windows Server 2019 v2.0.0. (#30173)
• Fixed camel casing in ownCloud ruleset header. (#30276)
• Fixed false positive in check 2.3.3.2 of macOS 13, 14, and 15 SCA. (#30489)
• Fixed bug in rule 92657. (#30529)
• Fixed field names in Office 365 rules. (#30528)
• Fixed action field in Fortigate rules. (#30515)
• Fixed Auditd EXECVE sibling Decoders. (#30612)
• Fixed problems with other Windows OS languages except English. (#31227)
• Reworked SCA Policy for Debian Linux 12. (#30717)
• Fixed missing comma in 0393-fortiauth_rules.xml. (#32025)
• Fixed Windows sca user account checks. (#32102)
• Fixed inaccuracies in Ubuntu 2404 sca policy. (#32106)
• Fixed incorrect service name in Ubuntu firewall service check. (#32143)

Other

Changed

• Updated packaging dependency to 25.0. (#31272)
• Updated requests to version 2.32.4. (#30536)
• Updated urllib3 to version 2.5.0 and protobuf to version 5.29.5. (#30624)
• Upgraded Python embedded interpreter to 3.10.18. (#30916)
• Updated OpenSSL to 3.0.15 and cpp-httplib to v0.25.0. (#31779)
• Updated SQLite dependency to version 3.50.4. (#29586)

There are no changes in this release.