Title
Create new category
Edit page index title
Edit category
Edit link
Release notes
| Version | 5.20.0 |
|---|---|
| Release date | 30 June 2026 |
| Scope | This major version introduces several new features and major enhancements, most notably the integration of the new OPSWAT Alin AI Deflection engine and the Archive Forensics feature, which provides a dedicated storage area for problematic files. System administrators can now leverage an Auto Troubleshooting feature directly from the console to simplify maintenance and diagnostic workflows and Deployment Readiness Tool to pre-verify system environment. Additionally, this version enhances reporting capabilities with SBOM export support for batch scans and customizable export templates. |
- Making sure to check out the Known Limitations.
New Features, Improvements and Enhancements
New Technology: OPSWAT Alin AI Deflection
OPSWAT Alin AI Deflection is an AI-driven, ML-based malware deflection engine. It analyzes the structural and byte-level signals of executable, document, and office files to determine whether a file can be confidently skipped from heavier scanning engines — reducing scan overhead without compromising detection.

Administrators can configure deflection in the Workflow Configuration settings for OPSWAT Alin AI Deflection to define which verdicts trigger deflection and which processing engines are skipped when a file is deflected.

Remote product upgrade through My OPSWAT Central Management
Administrators can now remotely upgrade MetaDefender Core (MD Core) instances directly from My OPSWAT Central Management (MOCM), eliminating the need to log in to each instance individually. This feature is supported on both Windows and Linux.
Note: Remote upgrades require MD Core 5.20.0 or later. You must first manually upgrade each MD Core instance to version 5.20.0. Once an instance is running 5.20.0, all subsequent upgrades can be performed remotely through MOCM.
Auto Troubleshooting — know your MetaDefender Core deployment is healthy at a glance
No more digging through logs or running manual tests to confirm everything is running smoothly. The new Troubleshooting dashboard gives administrators a clear, real-time view of system health in one place.
Issues are surfaced automatically and explained in plain language, so you know exactly what needs attention — and what's just fine as-is. When you want a closer look, a single click runs a deeper analysis on demand.
Spend less time investigating and more time being confident that your deployment is protected. Spot problems early, resolve them faster, and share results with support in seconds.
Check more details at Auto Troubleshooting.

Archive Forensic
Finding a single problematic file buried inside an archive just got easier. Archive Forensic automatically captures flagged sub-files during archive processing and stores them in a dedicated, secure location — so you can retrieve exactly what you need without sifting through the entire archive.
When enabled per scanning rule, MetaDefender Core preserves child files matching your configured trigger verdicts, encrypts them at rest with AES-256-GCM, and makes them available as password-protected ZIPs. Office documents are smartly skipped to keep your forensic store clean.
View, search, download, and manage your captures anytime: Archive Forensic.

Export Templates for Core Scan Results
Allow user to save export scan result options selection as named, reusable templates for ease of use when exporting scan results. Templates are tied to each user, maximum of 10 templates per user.

MetaDefender Core Deployment Readiness Tool
Wondering if your system is ready to install or upgrade MetaDefender Core? The new Deployment Readiness tool gives you an instant answer — no more manually cross-checking documentation. Just download the single, lightweight binary (no installation needed) and run it.
In one pass, it checks your OS, hardware, dependencies, database, ports, permissions, and potential software conflicts — then produces a clear console summary and a self-contained HTML report you can save or share. It even auto-detects your engine count and product configuration, and keeps its requirements up to date automatically from OPSWAT servers.
Available for both Windows and Linux: Download
Under MetaDefender Core / MetaDefender Core Deployment Readiness Tool

Example of HTML report

Further Enhancements
1) SSO Support Behind SSL-Terminating Reverse Proxies
Added support for the X-Forwarded-Proto header to improve SSO compatibility with deployments where SSL/TLS is terminated by a reverse proxy. MD Core now correctly detects the original request protocol when generating SSO redirects.
2) SBOM and Vulnerability Assessment reporting enhancements
Reporting coverage has been extended for software bill-of-materials (SBOM) and Vulnerability Assessment data.
- SBOM export (PDF) is now supported for batch scans.
- Vulnerability Assessment details are now included in exported reports (PDF) for subfiles within an archive scan.


3) Sanitized file size added to logs
The size of a file after sanitization is now recorded in the logs, improving traceability, auditing, and operational visibility when sanitization occurs.
4) AI Content Inspector output folder included in storage monitoring
The dedicated folder that the AI Content Inspector uses to store output images is now included in the storage-folder monitoring feature, so its disk usage is visible on the dashboard alongside other monitored storage.
5) My OPSWAT Central Management integration enhancements
- Newly enrolled MetaDefender Core (MD Core) instances now synchronize to their assigned set and pull engine and definition updates immediately upon registration with My OPSWAT Central Management (MOCM).
- The last MOCM sync time is now written to the MD Core logs instead of the configuration history.
6) Configure Log Rotation from the Web Console
Managing log retention no longer means editing config files. You can now control how MetaDefender Core handles logging directly from the web console — set the maximum log file size, choose your rotation interval, and define how many rotated files to keep. Tune your logging to fit your storage and compliance needs in just a few clicks.
7) Test Your Email Server Configuration
No more guessing whether your SMTP settings are correct. Under Settings > Network > Email, you can now send a test email directly from MetaDefender Core to verify your server configuration in seconds.
8) Configurable Syslog Facility
You can now tag MetaDefender Core syslog messages with a specific facility, making it easier for your SIEM, Splunk, or rsyslog server to route, filter, and retain Core logs separately from other applications. Set it under Settings → Logging → General, under Log format.
Most users can leave this alone — the default (daemon) keeps the same behavior as before. Change it only if your security or operations team asks Core logs to carry a specific category (commonly local0–local7). Changes take effect immediately, with no service restart required, and a single facility applies to all syslog output across both remote (UDP/TCP/TLS) and local syslog.
9) Multiple Schedules per Report
You're no longer limited to a single schedule per report. MetaDefender Core now lets you configure up to three scheduled times for each report type — so you can, for example, send a weekly History report every Monday morning and a monthly summary on the 1st. Set each schedule's timing, time range, and verdicts independently to match the way your team actually consumes reports.
10) Richer Report Columns
Scheduled reports and manual Processing History exports now include six new columns — Threat Found, Total AVS Engines, Threat Detected By, File Size (KB), Threats, and Metadata — giving you deeper insight into every scan. Columns are also reordered to group related fields logically (scan timing, threat details, and file metadata together).
11) Usage Reporting
With Usage Reporting enabled, MetaDefender Core shares anonymous usage metrics with OPSWAT — giving us the insight to improve performance, prioritize the features you rely on, and deliver a better overall experience.
We only collect neutral operational data. No sensitive information, no file contents, no personal data — ever. You stay in control and can enable or disable reporting at any time.
Security Enhancements
- Fixed an authentication bypass vulnerability that could allow an attacker to impersonate a user by using a valid SAML response.
- Added a limit on the number of parts accepted in
multipart/form-datarequest bodies to improve request handling and security. - Fixed an XML External Entity (XXE) injection vulnerability in the SAML response XML parser,
- Fixed an operating-system command injection vulnerability caused by unsanitized command-line arguments passed to popen().
- Fixed a postMessage origin-validation bypass in the management console caused by endsWith suffix confusion during origin checks.
- Upgraded 3rd party libraries:
- 7z v26.02
- OpenSSL v3.5.7
- NGINX v1.30.3
Bug Fixes
- Fixed a heap-corruption crash in the engine process that could occur when engines were repeatedly disabled and enabled over an extended period.
- Fixed an issue where an engine's
maximum_thread_countand a custom parallel count was not enforced at runtime, so the engine remained capped at the default limit even when configured higher. - Fixed an issue where password-protected documents failed when "Block unsupported file types" was enabled in Deep CDR during split-archive processing.
- Fixed an issue where scan-result tab names were truncated when the tab bar overflowed.
- Fixed an issue where a temporary file created by the AI Content Inspector was not deleted after a scan request was canceled.
Microsoft Visual C++ Redistributable version 14.44 or later is required for version 8.0 of the following modules: File Type, Archive Extraction, Archive Compression, Country of Origin, and Deep CDR.
Known Limitations
| Kubernetes v1.35 or containerd v2.2.0 could not deploy MetaDefender Core images | This issue is a bug of Until the vendor provides a fix, use one of the following mitigations:
More details at Unable to deploy MetaDefender Core in Kubernetes with containerd engine 2.2.x |
| Slow or Inaccessible Management Console | This issue has been resolved in version 5.13.2 In version 5.12.0, an issue was identified that caused some APIs to load more slowly than expected. As a result, the Web Management Console might experience slower performance or become unresponsive Please read more details on this page: Slow or Inaccessible Management Console. |
| The 'Proxy server requires password' setting cannot be disabled once it has been enabled | This issue has been resolved in version 5.14.2. In version 5.14.1, there was an issue that prevented disabling the |
| Database connection failure occurred in a specific circumstance after upgrading to version 5.11.0 | This issue has been resolved in version 5.11.1. This issue does not affect all cases when upgrading to version 5.11.0. After applying the authentication method
We prepare a Knowledge Base (KB) for troubleshooting the issue and bringing the system back online: How to troubleshoot an error related to connection to database failing after an upgrade to v5.11.0? The issue will not occur in the following scenarios:
|
| Archive compression may fail with very large archive files that contain a large number of subfiles | This issue has been addressed in version 5.14.0. MetaDefender Core has a limitation when compressing very large archive files that contain a high number of subfiles. In our test scenario, it failed when processing an archive with 300,000 or more subfiles. |
| Reuse processing result by hash might be slow in high-load situations | This issue has been resolved in version 5.10.1. Since its introduction in version 5.8.0, this feature has helped improve overall performance and reduce significant load when processing similar files. However, we have realized this feature might run slowly in high-load scenarios against large database sizes. |
| Temporary files in the resource folder may not be properly cleaned up if the Archive Extraction engine crashes | Starting from MetaDefender Core version 5.10.1, if the Archive Extraction engine crashes, temporary files from specific extraction transactions may not be properly cleaned up. However, this issue is relatively rare. |
| Reject importing non-empty required_engines setting in containerized environments | This issue occurs only in containerized environments. If the config zip file includes non-empty required_engines setting, MetaDefender Core will reject the import. Workaround:
|
| The Engine Update feature may not work as expected in certain environments | We have observed that the Engine Update feature may not work properly in an environment protected by a Palo Alto firewall. In the log file, you might find the error message ' If upgrading to the latest version of MetaDefender Core does not solve the issue, please consider setting up MetaDefender Update Downloader product. This product is responsible for downloading engines, and MetaDefender Core will retrieve and update its engines from there. |
| Stability issues on Red Hat / CentOS systems with kernel version 372.13 | MetaDefender Core version 5.2.1 or later may not function correctly with Red Hat or CentOS operating systems that use kernel 372.13. Red Hat is addressing the kernel issues. Please try upgrading to kernel version 372.26. |
| PostgreSQL and MetaDefender Core services cannot initialize in certain containerized environments | This issue was addressed in version 5.11.1. In a containerized environment, MetaDefender Core version 5.2.0 or newer may work properly when:
Workarounds for older versions:
|
| MetaDefender Core's NGINX web server will not start if weak cipher suites are used for HTTPS | On MetaDefender Core version 5.2.0 and later, OpenSSL 1.x has been replaced by OpenSSL 3.x within the product and its dependencies, including PostgreSQL and NGINX, to enhance security and address known vulnerabilities in OpenSSL 1.x. However, NGINX's implementation of OpenSSL 3.x in MetaDefender Core enforces strong encryption by rejecting all weak cipher suites. It only accepts "HIGH" encryption cipher suites as defined by OpenSSL https://www.openssl.org/docs/man1.1.1/man1/ciphers.html. This means ciphers based on MD5 and SHA1 hashing are no longer supported. Consequently, if you previously configured MetaDefender Core for HTTPS connections using a weak SSL cipher with your certificate, the service will not start due to NGINX's OpenSSL 3.x security enforcement. To prevent and remediate the issue before upgrading MetaDefender Core, please refer to the following resources: HTTPS Failure on MetaDefender Core 5.2.0 (or newer). |
| TCP socket port exhaustion may cause the service trouble, preventing from restarting, and Workflow configuration corrupted | This issue affected MetaDefender Core (MD Core) version 5.15.0 and earlier and is enhanced starting from version 5.15.1. TCP socket port exhaustion might be triggered by other applications; for example, MetaDefender KIOSK v4.7.6.3514 (fixed in later releases). Consequently, MD Core may behave abnormally, corrupt its Workflow Configuration, and fail to restart. |
| Workflow configuration fails to synchronize from OPSWAT Central Management to MetaDefender Core after creating a new Workflow template | This issue affects MetaDefender Core versions 5.17.0 and 5.17.1. Workflow configuration from OPSWAT Central Management will fail to synchronize to MetaDefender Core (MD Core) once a new Workflow template is created. To restore normal synchronization, the newly created Workflow template must be deleted. As a workaround for creating new templates on these affected MD Core versions, the Clone Workflow Template feature can be used as an alternative. |
| Temporary files may persist if an OPSWAT AI Content Inspector scan is canceled | If a scan is canceled while the OPSWAT AI Content Inspector engine is actively processing, intermediate files may remain in the temporary directory. These files do not affect the current or any subsequent scan results. Resolution: This issue has been fixed in MD Core 5.20.0. Workaround (if you remain on MD Core 5.19.0): The temporary files are automatically removed when the OPSWAT AI Content Inspector engine restarts. |