Subscribe to our RSS feed or by email to receive automatic notifications when new releases are published.
Get notified when we ship new features and improvements.
6.4.0
Platform 6.4.0 is a minor release featuring critical security updates, performance improvements, and new capabilities across Operations Manager, Studio, and Platform infrastructure. This release addresses customer-reported issues and introduces enhancements to improve user experience and system reliability.
For an overview of the key features in this release, see the Platform 6.4.0 feature announcement.
Enhancements (15)
| Component | Feature | Description |
|---|---|---|
| Gateway | Gateway runCode method (ENG-19351) | Implemented runCode method in Gateway Manager for executing custom code through gateway integrations. |
| Gateway | Gateway runCode RPC (ENG-19350) | Added runCode RPC endpoint in Gateway5 for remote code execution capabilities. |
| Gateway | Proxy logic for integration worker (ENG-21997) | Modified Integration worker to support proxy logic, enabling more flexible network configurations. |
| Operations Manager | Audit events for CRUD operations (ENG-22043) | Added audit events for CRUD operations in their respective management applications. |
| Operations Manager | Execution ancestry implementation (ENG-22441) | Implemented execution ancestry tracking to provide better visibility into job and task relationships across the platform. |
| Operations Manager | Job duration toggle (ENG-19459) | Added job duration toggle option in Operations Manager Jobs Table View, allowing users to customize displayed metrics. |
| Operations Manager | Job execution path visibility (ENG-18253) | Enhanced Operations Manager with improved job execution path visualization, making it easier to trace and debug workflow executions. |
| Operations Manager | Task details panel resize (ENG-22691) | Added support for resizing the task details panel manually, allowing for a larger view of the code editor within the panel. |
| Platform | Itential Academy URL update (ENG-21935) | Updated the URL of Itential Academy in Platform from Learn Upon to the new Itential Academy portal. |
| Studio | Auto-generated key name visibility (ENG-22753) | Improved visibility of auto-generated key names when a form field label contains transformed characters such as spaces or hyphens. The Custom Key radio/text input has been replaced with a text input that displays the auto-generated key as its default value, with a tooltip describing its purpose. Applies to Checkbox, Text, Textarea, Number, Dropdown, Container, Table, and File Upload fields. |
| Studio | Code task template (ENG-19352) | Added code task template in Studio to streamline creation of custom code execution tasks. |
| Studio | Inline query on task input (ENG-22503) | Added support for configuring inline queries on task inputs when data comes from jobs or previous tasks. |
| Studio | Task focus indicators (ENG-18800) | Implemented visual focus indicators for tasks, improving accessibility and navigation in workflow canvas. |
| Workflow Engine | Execution ancestry deduplication (ENG-23188) | Fixed an issue where duplicate execution ancestry records could be inserted into the execution_nodes collection. |
| Workflow Engine | Inline query support (ENG-22689) | Added inline query support to Workflow Engine task variable resolution. |
Bug fixes (36)
| Component | Feature | Description |
|---|---|---|
| Integration | OAuth integration models (ENG-20194) | Fixed Integration Models not working with OAuth for Cisco Umbrella integrations. |
| Operations Manager | Actionable tasks CPU thrashing (ENG-22418) | Improved query performance on getting Actionable Tasks in Operations Manager to prevent CPU thrashing. |
| Operations Manager | Warning for automation write groups (ENG-1765) | Added warning message when assigning write groups to automation to prevent permission issues. |
| Operations Manager | Manual task retry (ENG-14413) | Fixed issue where users could not access the manual task dialog to retry adapter tasks. Users no longer see a blank screen element when accessing this functionality. |
| Operations Manager | Tasks stuck in errored state (ENG-19443) | Resolved issue with tasks getting stuck in “Errored” states, improving workflow reliability and error recovery. |
| Operations Manager | Triggers display limit (ENG-22024) | Fixed issue where Operations Manager only showed 10 triggers. Banners no longer cut off the bottom of Operations Manager’s screen. |
| NSO | NSO 6.4.8+ transaction comment support (ENG-22838) | Updated deprecation handling for transaction methods (set_comment, set_label) to maintain compatibility with NSO v6.4.8 and newer releases. |
| Platform | App initialization with role mismatch (ENG-22023) | Fixed issue where app failed to initialize completely when roles inside views did not match the global roles array. |
| Platform | Auto keying JSON forms (ENG-22101) | Implemented auto keying when moving JSON form or template references into projects. |
| Platform | Global search templates (ENG-5894) | Fixed issue where global search was not working for templates and JSON Forms. |
| Platform | MongoDB native calls removal (ENG-20491) | Removed mongo native database calls and switched to using Database package for improved consistency and maintainability. |
| Platform | Node.js security (ENG-22038) | Updated Node.js version to 20.20 to address critical security vulnerabilities in Platform 6.3.3. |
| Platform | Resource model update blocked (ENG-22862) | Fixed an issue where updating a resource model was incorrectly blocked when all existing instances had been deleted via a canceled create action. The instance check now correctly recognizes both completed deletes and canceled creates as deleted states. |
| Platform | Redis master failover (ENG-20713) | Fixed issue where Platform 6 was not reconnecting to the new redis master node when the actual master failed. |
| Platform | System search regex metacharacters (ENG-22349) | Fixed issue where system search failed when query contained regex metacharacters (e.g. +, *). |
| Platform | Vault startup hang (ENG-18458) | Fixed issue where Vault hangs Itential Platform on startup when no network access is available, with no logs and health check passing even if password is bad. |
| Projects | New folder from selected (ENG-4767) | Fixed issue where “New Folder From Selected” failed when selecting from multiple folders in Projects. |
| Projects | Template group concept (ENG-4883) | Resolved issue where Template Group was not properly supported as a concept in Projects. |
| Service Configuration | Configuration descriptions (ENG-19265) | Added support for Service Configuration Descriptions to improve configuration management and documentation. |
| Studio | Canvas search evaluation (ENG-6310) | Fixed issue where canvas search was not finding text in evaluation descriptions. |
| Studio | Canvas task copy/paste references (ENG-22882) | When copying or duplicating a task on the workflow canvas, variable references pointing to tasks outside the new task’s ancestry are now automatically cleared instead of being carried over verbatim from the source, preventing invalid variable bindings on the pasted task. |
| Studio | Deep Merge canvas task (ENG-2623) | Fixed an issue in the Deep Merge canvas task where entering an array value into the static input field did not display a validation error, causing the value to be silently discarded. Also fixed an issue where entering a quoted string (e.g. "hello") would strip the quotes on blur, producing invalid JSON in the editor. |
| Studio | JSON form UI crash (ENG-22554) | Fixed issue where JSON Form UI crashed when populating post body. |
| Studio | JST function replace (ENG-2960) | Fixed missing function for ‘replacement’ parameter in JST function ‘replace’. |
| Studio | JST tabs incorrect data (ENG-22735) | Fixed issue where JST tabs showed incorrect data, ensuring consistent data display across transformation editor tabs. |
| Studio | JST undo/redo dirty state (ENG-1851) | Fixed issue where using undo/redo buttons in the JST editor did not put the UI into a dirty state, causing unsaved changes to go undetected. |
| Studio | MOP template special characters (ENG-7275) | Fixed issue where MOP Templates with special characters in name failed to import. |
| Studio | PHTreeMenu multiple context menus (ENG-9230) | Fixed issue where PHTreeMenu allowed multiple context menus to be open at once. |
| Studio | Schema combination element reordering (ENG-7961) | The “Schema Combination Layout” element is now draggable and reorderable in JSON Forms. Reordering now supports drag-and-drop in both directions (upward and downward). |
| Studio | Schema combinations rendering (ENG-22569) | Fixed issue where multiple schema combinations of the same type rendered incorrectly in form preview. |
| Studio | Swap task icon functionality (ENG-9371) | Fixed issue where swap task icon on task detail card did not work for tasks when required adapters were not installed on the system. |
| Studio | Swap task search bar (ENG-22677) | Fixed issue where Swap Task no longer worked following usage of the search bar twice in the Swap Task UI. |
| Studio | Transformation tab display name (ENG-10756) | Fixed incorrect display name in Transformation tab. |
| Studio | View Data text selection (ENG-23774) | Fixed an issue in the View Data manual task that prevented individual lines of text from being selected. |
| Studio | Workflow import with SLA fields (ENG-23004) | Added support for handling broken workflow payloads when importing workflows with newly added or updated sla or preAutomationTime fields. |
| Workflow Engine | Memory spike in child jobs (ENG-22494) | Addressed unexplained memory spikes in Workflow Engine leading to hung status of tasks, mainly affecting Child Jobs. |
Security fixes (19)
This release includes important security updates that address vulnerabilities in third-party packages and platform components.
| Component | Feature | Description |
|---|---|---|
| NSO | Arbitrary code injection in lodash (Service Management) (ENG-22893) | Updated lodash in app-service_management to resolve Arbitrary Code Injection vulnerability. |
| NSO | Arbitrary code injection in lodash-es (NSO Gateway) (ENG-23370) | Fixed Arbitrary Code Injection security vulnerability in lodash-es. |
| NSO | Confused deputy in axios (NSO Manager) (ENG-22845) | Fixed Unintended Proxy or Intermediary (‘Confused Deputy’) vulnerability in axios for app-nso_manager. |
| NSO | Confused deputy in axios (Service Management) (ENG-22841) | Fixed Unintended Proxy or Intermediary (‘Confused Deputy’) vulnerability in axios for app-service_management. |
| NSO | Cross-site scripting (NSO Manager) (ENG-22489) | Fixed Cross-site Scripting (XSS) vulnerability in app-nso_manager. |
| NSO | HTTP response splitting in axios (NSO Manager) (ENG-23209) | Resolved HTTP Response Splitting vulnerability (CVE-2026-42035) by updating axios to a secure version inside app-nso_manager (SNYK-JS-AXIOS-16298058). |
| NSO | HTTP response splitting in axios (NSO Service Management) (ENG-23353) | Resolved security vulnerabilities (CVE-2026-42264 and CVE-2026-42044) related to request handling by updating axios to a secure version. |
| NSO | Improper neutralization (NSO Manager) (ENG-22488) | Fixed Improper Neutralization vulnerability in app-nso_manager. |
| NSO | Infinite loop (NSO Adapter) (ENG-22486) | Fixed Infinite loop vulnerability in adapter-nso. |
| NSO | Infinite loop (NSO Manager) (ENG-22487) | Fixed Infinite loop vulnerability in app-nso_manager. |
| NSO | Improper index validation in UUID (NSO Manager) (ENG-23442) | Resolved a security vulnerability (CVE-2026-41907) related to improper validation of specified index, position, or offset in input by updating UUID to a secure version inside app-nso_manager. |
| NSO | Prototype pollution (NSO Manager) (ENG-22490) | Fixed Prototype Pollution vulnerability in app-nso_manager. |
| Platform | Arbitrary code injection in lodash (Itential Platform) (ENG-22665) | Updated lodash in Itential Platform to resolve Arbitrary Code Injection vulnerability. |
| Platform | Confused deputy in axios (Itential Platform) (ENG-22619) | Fixed Unintended Proxy or Intermediary (‘Confused Deputy’) vulnerability in axios for Itential Platform. |
| Platform | HTTP response splitting (ENG-23072) | Fixed HTTP Response Splitting vulnerability by updating axios package (SNYK-JS-AXIOS-16298058). |
| Platform | HTTP response splitting in axios (itential-utils) (ENG-23095) | Updated axios in itential-utils to resolve HTTP Response Splitting vulnerability (SNYK-JS-AXIOS-16298058). |
| Platform | Infinite loop in brace-expansion (Itential Platform) (ENG-22281) | Updated brace-expansion package in Itential Platform to resolve Infinite loop vulnerability. |
| Platform | Infinite loop in brace-expansion (itential-utils) (ENG-22132) | Updated brace-expansion package in itential-utils to resolve Infinite loop vulnerability. |
| Platform | XML injection in @xmldom/xmldom (ENG-22666) | Updated @xmldom/xmldom package to resolve XML Injection vulnerability. |
