Release Notes

Version5.13.0
Release date11 March 2026
ScopeFocused on new functionalities, enhancements and bug fixes

Before upgrading MetaDefender ICAP Server to v5.10.0 or newer from v5.6.0 or earlier, make sure you review the Release Notes and the following Documentation:

  1. PostgreSQL Database Deployment Options
  2. Installation Methods
  3. Upgrade to MetaDefender ICAP Server v5.7.0 or newer

New Features, Improvements and Enhancements

Details
Improve capability in handling ICAP messages
  • Enhanced ICAP message handling: Achieved significant performance improvements by doubling the number of ICAP messages processed concurrently, without requiring any changes to existing hardware profiles.
  • Optimized user interface responsiveness: Ensured seamless UI access and interaction even under high load conditions.
  • Reduce the loading of PostgreSQL database by reduce the IO access
Support Advanced Log Configurations on Web Console

Starting with MetaDefender ICAP version 5.13.0, the following advanced log configurations including local time zone, Common Event Format, product logs and syslog settings are supported

This UI configuration is also support for CM10 integration

Enhanced authentication experience

Implemented Single Logout (SLO) support within Single Sign-On (SAML), allowing users to securely end all active sessions across connected applications with a single action, improving both security and convenience

refer to Enable Single Logout

Security Enhancements

Upgraded third-party libraries for improved security:

  • PostgreSQL v16.13
  • OpenSSL v3.4.4
  • Angular v19.2.19
  • gRPC v1.71.1
  • Curl v8.18.0

Applied additional security hardening measures across the product to prevent vulnerabilities and strengthen overall protection.

Usability Improvements

New Configuration Option:

  • CA path support (Linux): Added option global/curlopt_capth to set CA path on Linux, this will enable Docker images running as non-root to instal and use self-sign certitifaces

  • Skip First Start Page: Introduced flag internal/skip_first_start_page to bypass the initial start page, this prevent unnecessary interruptions when Kubernetes PODs are recycled

  • Handle Non-Standard Content-Encoding: Added flag global/skip_non_standard_encoding_preprocess to manage non-standard content-encoding values

    • If a content-encoding type is listed in this flag, the MD ICAP Server will not decode the HTTP body before sending it to MD Core for scanning
    • Example: below ensures that when content-encoding: none is used, the body is passed through without preprocessing
    • global/skip_non_standard_encoding_preprocess = none

  • Limit URL Storage Length: Introduced flag global/store_first_n_characters_url to restrict the number of URL characters stored in the database

    • This will help ensure that sensitive data passed through the URL is not stored in the database

  • Share SSO Configuration [Linux]: Add option internal/sso_cross_instance_enabled to apply a single SSO configuration across all MD ICAP Server instances that use the same Shared Database Mode. This ensures consistency when multiple MD ICAP Server instances are deployed behind a load balancer and accessed via the same URL

More detail, refer to Configuration file

Bug Fixes

Details
Fixed timeout when exporting processing historyResolved a timeout error that occurred during export of large processing histories
Fixed crash when deleting a support package via the UIFixed an edge case where deleting a support package via the UI could cause the service to crash
Minor FixesResolved various UI cosmetic issues and minor fixes

Known Limitations

Details
Proxy ConfigurationCurrently, HTTPS proxy configuration is not supported.
SAML Directory (SSO Integration) Limitations

In v5.5.0, users cannot create a new SAML directory via the web UI.

  • Workaround: Use REST API to create the SAML directory
  • Impact: Existing SAML directories remain unaffected after upgrading to v5.5.0
  • Resolution: Fixed in v5.5.1 and newer
Stability Issues on Red Hat/CentOS (Kernel Version 372)

MetaDefender ICAP Server v5.1.0 or newer may encounter stability issues on Red Hat/CentOS systems running kernel version 372.

Solution: Upgrade to kernel version 425, where Red Hat has resolved this issue.

MetaDefender ICAP Server's NGINX Web Server Fails to Start with Weak Cipher Suites for HTTPS

From v5.1.0, OpenSSL 1.x has been replaced with OpenSSL 3.x — across the product and its dependencies — to enhance security and address vulnerabilities.

As part of this upgrade, NGINX's OpenSSL 3.x in MetaDefender ICAP Server now enforces stricter cipher policies and rejects all weak cipher suites. The web server now only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you have already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to the enforced security policies in NGINX's OpenSSL 3.x.

no_proxy ConfigurationStarting with MetaDefender ICAP Server v5.1.0, the no_proxy setting must support CIDR for IP addresses. For more details, see No Proxy configuration.
TLS Connectivity to MetaDefender Core on Debian

On Debian OS, MetaDefender ICAP Server v5.1.0 requires the two following commands to enable TLS communication with MetaDefender Core:

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: Upgrade to MetaDefender ICAP Server v5.1.1, where the issue is resolved.

TLS 1.3 Not Supported on Windows Server 2012TLS 1.3 is not supported on Windows Server 2012 due to limitations with Schannel SSP. Reference
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Archived Release Notes
On This Page
Release NotesNew Features, Improvements and EnhancementsBug FixesKnown Limitations