Release Notes

MetaDefender Managed File Transfer 3.11.3

Release Date: May 2026

MFT 3.11.3 delivers SAML 2.0 SSO support for enterprise identity providers, an HA cluster configuration desktop tool, interactive transfer map visualization, granular folder sharing roles, and over 60 bug fixes and reliability improvements.

New Features & Enhancements

Security

SAML 2.0 SSO Integration

Configure SSO with any SAML 2.0-compliant identity provider alongside existing OIDC, extending enterprise authentication compatibility to EntraID, Okta, and other SAML-based IdPs.

Email-Based OTP Authentication

Configure email-delivered one-time passwords as a secondary MFA factor, supporting users without SMS or authenticator apps.

Up to 5 resend attempts per hour with 1-minute code expiration
Works alongside existing TOTP and SMS MFA options

Cross-Tenant Entra ID User Mapping

Map users across different Entra ID tenants in MFT-to-MFT deployments, resolving cross-tenant identity mismatches for organizations with separate high-side and low-side directories.

3DES Cipher Removal from TLS

Remove DES-CBC3-SHA (3DES) from the default non-FIPS nginx configuration, eliminating the SWEET32 vulnerability (CVE-2016-2183) without requiring manual customer changes.

User Management

Share folders with five distinct roles — Owner, Editor, Downloader, Uploader, and Viewer — for precise control over collaborator permissions beyond the previous binary share model.

Random Password Enforcement for External Users

Enforce automatically generated passwords for External User accounts, keeping passwords hidden from the creating user and delivering them via invite email.

Group Upload Identity Restriction

Configure a per-group toggle to control whether users can upload files as members of that group, removing restricted groups from the upload identity dropdown.

Automation

Q&A Conditional Question Branching in Secure Web Forms

Define conditional questions in upload questionnaires where the answer to one question determines which follow-up questions appear, enabling branching multi-step approval workflows.

Discovered MFT Nomination in Orchestration

Nominate a Discovered MFT as a Destination MFT directly from the Visual Orchestration node action menu, without navigating away from the automation view.

SPOP Jobs in Visual Orchestration

View and filter SPOP Automated Jobs in the Visual Orchestration page with integration details consistent with other job types.

MFT-to-MFT Manual Transfer Mode

Configure MFT-to-MFT connections to hold uploaded files until an administrator manually approves forwarding, enabling controlled transfers in data diode and air-gap environments.

MFT-to-MFT Hash Verification

Enable automatic hash verification on every MFT-to-MFT transfer to confirm data integrity, with mismatches flagged in the audit trail.

MFT-to-MFT Full Destination Sync

Configure MFT-to-MFT connections to sync all existing files to the destination regardless of upload time, giving administrators complete control over the destination content state.

Platform

HA Cluster Configuration Tool

Manage HA Controller cluster members, MFT node connections, and peer settings through a cross-platform desktop UI application, replacing manual JSON configuration editing.

Connect and configure MFT nodes from a single interface
Edit peer settings and cluster membership without touching configuration files
Generate support packages directly from the application

HA Configurator Enhancements

Access the HA Configurator application from the HA Controller installer package, with several usability additions in this release.

Bundled directly in the installer — no separate deployment step
Version number displayed in the application footer
Contextual hints for key configuration settings
Minimize-to-taskbar support consistent with standard desktop behavior

HA Load Balancer Health Endpoint

Query the public /health/ready endpoint on each MFT node without authentication so load balancers can automatically detect and route to active nodes.

HA Reverse Proxy Port Toggle

Disable the HA Controller reverse proxy port in two-site deployments where the proxy is not needed, reducing the exposed attack surface.

HA Installer Configuration Migration

Migrate HA Controller configuration properties automatically during upgrade, adding required fields while preserving all existing settings.

Administration

Configurable Audit Export Timezone

Export audit logs in the server's configured timezone instead of UTC, aligning exported report timestamps with timestamps displayed in the MFT UI.

Geographic Location in Audit Trails

View City and Country columns in the system Audit Trail, resolved from client IP addresses, for faster event origin identification without manual IP lookups.

IP Location in File Activity Trails

View City and Country columns in the file-level Audit Trail with tooltip details on hover, exported automatically when generating audit reports.

City-Level IP Location Management

Define IP-to-location mappings at city and country granularity using CIDR ranges or IP ranges on the IP Location page, enabling precise geographic identification of file transfer origins.

Minor Enhancements

Outbreak Prevention Rescan Period Picker — Configure the outbreak prevention rescan period in hours, days, or weeks using a time span picker, removing the need to calculate total minutes manually.

Monitoring

Transfer Map Visualization

Monitor file transfers across all transfer modes on an interactive real-time map, with security status, source/destination details, and directional flows per node pair.

Real-time security status bar shows totals for clean, blocked, and vulnerable files
Manual uploads and downloads from the web portal appear as directional flows
Automation jobs (Push, Pull, MFT-to-MFT, SPOP) display with source, destination, and status
Filter by security status or transfer direction using dropdown filters

Rearrange, remove, and restore widgets on the System and File Security dashboards using drag-and-drop, with layout changes auto-saved per user and reset-to-default available.

Bug Fixes & Improvements

Security Fixes

Sensitive Credential Exposure

User session tokens and OAuth client secrets are stored and transmitted encrypted, resolving cleartext exposure in logs, the database, and API responses.

SSO login attempts by disabled third-party users are blocked and recorded as failed in the audit log.

SFTP Pull RBAC-Filtered Destination Accounts

SFTP Pull to Users jobs list only destination accounts that the configured API key has permission to transfer to.

MFT-to-MFT Group Transfer Permissions

MFT-to-MFT group transfers apply the correct per-file recipient permissions instead of flattening all files to a single permission set.

Restricted Admin Trusted Forwarder Access

Restricted administrators can create, edit, and delete Trusted Forwarder rules in the Security settings.

Restricted Admin Encryption Page Access

Restricted and read-only administrators can access the Encryption settings page.

File Security Report Role-Based Visibility

File Security Report Processing Summary and Security Summary display data correctly for users with the Auditor role.

Non-Admin SSO Configuration Page Access

Users with view-only SSO configuration access can navigate to the SSO settings page without triggering permission errors.

Stability Fixes

Large-Group Unsharing Stability

Unsharing files or folders shared with a large number of users completes without causing MFT service unresponsiveness.

Large File MFT-to-MFT Behind HA Controller

MFT-to-MFT transfers of large files (approximately 1 GiB and above) complete successfully when the destination is behind an HA Controller.

MFT Admin Tools After Upgrade

MFT administrative tools (ConfigureProxy, ChangeProtocol, and others) start and function correctly after upgrade.

MFT-to-MFT Unblock Duplicate Key Error

MFT-to-MFT transfers of admin-unblocked files no longer fail with a unique key constraint database error.

Reliability Improvements

Audit Trail

HA Controller Audit Log IP Address — Audit log entries record the correct requesting machine IP address instead of 127.0.0.1 when actions are performed from the HA Controller host.
Audit Log for Classification-Failed Uploads — Files that fail to upload because file classification is missing generate an audit log entry with the failure reason when Enforce File Classification is enabled.

Dashboard

Dashboard Upload Count on Interrupted Transfer — The System Dashboard upload count correctly reflects completed uploads when transfers are aborted mid-stream.
Dashboard Vulnerabilities Chart Data — The Dashboard Vulnerabilities chart displays data correctly when vulnerable files have been processed.
File Security Widgets With Partially Offline Core — File Security Report Processing Summary and Security Summary display correct data when one of multiple configured Cores is offline.

SFTP Pull

SFTP Pull Skips Inactive User Accounts — SFTP Pull to Users jobs skip inactive user accounts instead of attempting transfers that will fail.
SFTP Pull to External and Guest Users — SFTP Pull to Users jobs complete correctly when the destination is an External or Guest user account.
SFTP Pull Ambiguous User Error Message — SFTP Pull jobs display a clear, actionable error when the destination user cannot be uniquely identified.

MFT-to-MFT Integration

Admin-Unblocked File MFT-to-MFT Transfer — Files manually unblocked by an administrator in an MFT-to-MFT setup with Transfer Allowed Files Only are forwarded to the destination MFT.
File and Folder Sharing Email Delivery — File and folder sharing notification emails are delivered correctly across all supported upgrade paths.

Orphaned File Transfer Record Cleanup

Empty file transfer records and their associated recipient entries are cleaned up correctly during the file purge cycle.

DFS Share Mapping jobs continue pulling files from remaining healthy shares when an individual machine's share becomes unavailable mid-job.

Folder sharing notification emails are sent correctly to Outlook recipients when Graph API is the configured notification server.

OCM Registration Uses Instance IP

MFT registers its instance IP address with OPSWAT Central Management instead of the loopback address 127.0.0.1.

Behavior Corrections

MFT-to-MFT

MFT-to-MFT Config Visible After Upgrade — Bidirectional MFT-to-MFT configuration remains visible in the UI after upgrading from 3.10.2 to 3.11.1 or later.
Visual Orchestration MFT-to-MFT Disabled State — Visual Orchestration displays a clear warning when the MFT-to-MFT function is disabled, preventing nodes from appearing online when the feature is off.

Authentication

SSO Credential Error After Upgrade — SSO settings remain editable after upgrading from older MFT versions without triggering false invalid credentials errors.
Trusted Network Preferred Sign-In Import — Importing MFT configuration correctly restores the preferred sign-in method for Trusted Network rules.
OCM Default Group Policy on Re-Enrollment — Re-enrolling an MFT instance into the default OPSWAT Central Management group with Auto Sync enabled correctly applies the group's policy configuration.

File Management

Permanently Deleted Files Reappearance — Files permanently deleted with a pending supervisor state remain deleted after supervisor auto-approval timespan is reconfigured.
Download Missing After Encryption Key Change — Download options appear correctly for files uploaded after a new encryption key is generated.
Shared With Me Duplicate File Entries — Files with multiple tags appear only once in the Shared With Me view regardless of the number of associated tags.
Starred Files Visibility Toggle — Starred (favorited) files remain visible in My Files regardless of the file security information visibility setting.

Workflow

Admin View of Subordinate Job History — Administrators can view execution history for all automation jobs from the Admin view, including jobs created by Automation Coordinators.
MFT Pull of Skipped-Supervision Files — MFT Pull jobs successfully retrieve files with a Skipped Supervision status at the source MFT.
Shared Space Access with Group Identity Off — Users retain access to their group's shared space even when the group upload identity setting is disabled.

Configuration

Encryption Key Save Path Trimming — Trailing spaces in the encryption key rotation save path are trimmed before the path is used, preventing save failures.
Encryption Key Rotation Email Template — The Automatic Encryption Key Rotation email template is configurable from the Notifications settings in the MFT UI.

Refreshing on an archive scan result returns to the root file list level without restoring a previous nested state.

Manual Destination MFT Detached Node

Manually added destination MFTs connect correctly within the Visual Orchestration graph instead of appearing as detached nodes.

UI & Usability Fixes

File Classification Whitespace Validation — File classification values consisting only of whitespace are rejected at input with a validation error.
Customization Page Overlay on Show More — The UI overlay correctly disables the entire page when a Show More action is loading.
Email Notification Placeholder Format — Email notification settings display the correct placeholder format for Client ID and Client Secret fields.
File Settings Download Options Alignment — The Download Options section on the File Settings General tab aligns correctly at full HD resolution.
Automation Tour User Sync Wording — Automation Tour steps correctly describe user synchronization behavior to the destination MFT.
Visual Orchestration Created-By Search Field — The Visual Orchestration Created By filter includes a search field for filtering by username.
Visual Orchestration Created-By Filter Label — The Visual Orchestration Created By filter displays "Everyone" as the default option.
File Security Report Filter Menu Overlap — The File Security Report filter menu opens without being obscured by the in-progress upload notification.
AD Server Address Whitespace Validation — Authentication Sources shows a validation error when the Active Directory server address field contains only whitespace.
Radius Save Button State with Invalid Fields — The Radius Update button is disabled when the integration is turned off while required fields contain invalid values.
Service Offline UI Error Message — A user-friendly maintenance message replaces the raw error key when the MFT REST service is offline.
Duplicate Toast Notifications on Save — Save actions generate a single confirmation toast instead of multiple duplicate notifications.
Clear Sorting Button Styling — The Clear Sorting button in File Security Report uses consistent visual styling aligned with neighboring filter elements.
Dashboard Widget Text at 1280px — Dashboard widget text scales correctly at 1280×900 resolution without content overflowing its container.
Clear Sorting Visibility With No Files — The Clear Sorting button in File Security Report is hidden when no files are present.
File Security Report Chart Hover Key — Hovering over the File Security Report chart does not expose raw translation key strings.
File Security Report Processing Status Sort — The Processing Status sort modal in File Security Report displays the correct sort options instead of an empty list.
Multi-Column Sort Limit Notification — A notification appears when a user applies sorting on a third column, enforcing the two-column sort maximum.
Table View Settings Toast on First Sort — The table view settings confirmation toast displays on the first column sort action rather than requiring a second click.
Cancelled Sandbox Scan Result Label — Cancelled scan results display a localized label instead of a raw translation key string.
Automation Tour Video Download — Clicking the download option on the Automation Tour video triggers a video file download instead of a JSON file.
Encryption Page False Unsaved Changes Warning — The Encryption settings page does not display an unsaved changes warning when no edits have been made.
SSO Credential Show/Hide Toggle — The SSO Client Secret field includes a toggle to show or hide its value.
Groups Page Column Order Persistence — Column order changes on the Groups page are saved and persist across sessions.
SSO User Role Assignment Display — SSO user display names appear correctly without stray empty parentheses when assigning Admin or Automation Coordinator roles.

Last updated on

Was this page helpful?