6.7.1 Appliance

Released June 3, 2026.

Updates

Security

• Strengthened input validation on API endpoints to enforce stricter limits and format checks on all user-supplied data, improving overall security and data integrity.

• Addressed an issue in which rate limiting on Application Discovery analysis was bypassed, potentially allowing excessive resource usage.

• Improved security for OAUTH-based identity provider integrations by ensuring sensitive credentials are handled entirely on the server.

• Added mitigations for the Copy.Fail (CVE‑2026‑31431) and Dirty Frag (CVE‑2026‑43284, CVE‑2026‑43500) vulnerabilities. See the related knowledge base articles for more information:

  • Security Advisory: CVE‑2026‑31431 Affecting AppGate ZTNA Appliances

  • Security Advisory: CVE‑2026‑43284 and CVE‑2026‑43500 Affecting AppGate ZTNA Appliances

• Added mitigations for the ssh-keysign-pwn (CVE-2026-46333) vulnerability.

Collective Replication

• Replication progress is now shown in the admin UI.

• Addressed an issue where error details were not shown in the Collective Replication summary.

• Port 8443 no longer needs to be opened up between the replication source and replication target. Instead, Port 443 must be allowed in the firewall, but this traffic is SPA-protected.

• Improved Collective Replication registration failure handling.

• The Reset Key option was renamed to Disconnect in the Replication Source page.

• Improved how warning messages are displayed in the Replication Summary.

• You can now clone and delete replication targets.

• You can now add or remove tags from more than one replication target at a time.

• Fixed an issue where tags were not set to read-only when Collective Replication was disconnected and re-connected.

• Collective Replication now handles CA-renewal on the source Collective.

• Access tokens are now refreshed every seven days.

• When registering a replication source in the target Collective, a confirmation modal now verifies the correct source Collective address.

Admin UI

• An admin message is now generated when admin APIs are used with a load balancer.

• Fixed an issue where the inactivity timeout confirmation modal was displayed after the timeout was reached.

• Reverted a change made in 6.7.0 related to downloading appliance logs. Log downloads are once again streamed.

Audit Logging

• The logging interval of configuration mismatch has been reduced to every 24 hours.

• For strict compliance scenarios, you can now enable TCP Forwarding in the LogForwarder to use the WolfSSL library for TLS destinations using a cz-config command. This also emits an audit event to record TLS handshake failures.

Licenses

• Fixed an issue where a license appeared as expired when it still had one day left.

Name Resolving

• Fixed Google Cloud Platform resolver variable substitution issue during cache refresh.

NAT Traversal

• Resolved an issue where changes to an appliance certificate were not fully applied when NAT Traversal is set up in a Collective.

• Fixed an issue where the clients and Gateways used the TLS port instead of the STUN/QUIC port for STUN connections to the Connection Broker. Each STUN-client now receives the correct URI and associated signal channel details.

• Fixed an issue where validation errors were not properly displayed in the Connection Broker appliance configuration.

Portal

• Addressed an issue where the Portal went into a redirect loop under certain circumstances.

Secrets

• Addressed an issue in which a change introduced in 6.6.0 caused script integrations to break by an unintended forced change to secrets included in scripts.

Stability

• Fixed issues in the VPN service where lengthy user unsubscriptions (over 10 seconds) or frequent configuration reloads caused a crash, forcing connected clients to reconnect.

• Fixed an issue in which the Gateway could become unresponsive in environments with a high volume of simultaneous user logins, causing new login attempts to fail with a "connection refused" error.

• Addressed an issue in which user sessions were shown as active when they were no longer connected.

• Fixed an issue where resource queries on Gateways could fail with an unexpected error, potentially preventing users from accessing resources through their assigned Sites.

• Resolved an issue where active session details contained duplicate subnet entries in firewall rules in the entitlements tab.

• When license allocation is over 95%, a warning message will appear in the Appliance Status column and in Appliance Health Details.

• Fixed an issue in which the Controller started having database issues after a certain amount of use.

ZTP

• Fixed an issue where an entity received duplicate tags because the same tag appeared in both the create privileges' default tags and the entity being created.

• When saving the Secret Key in the ZTP Settings page, the confirmation modal now displays the source collective.