The following issues were fixed in MOVEit Automation 2026.

ID

Category

Fixed Issue

9010

Hosts, Tasks

Tasks using MIT hosts with wildcard (**) now correctly recognize the Collect only new files option and prevent duplicate transfers.

76260

Failover

Java API task execution now correctly blocks task runs on secondary nodes in legacy failover environments.

82991

PGP

Startup performance has been improved by optimizing how PGP keyrings are loaded.

86814

Advanced Tasks

Advanced tasks using S3 sources now correctly apply rename actions in the Update Original step.

86815

Advanced Tasks

Advanced tasks using Azure Blob sources now correctly apply rename actions in the Update Original step.

96730

Certificates, Server

Importing invalid certificate files no longer causes the Automation service to terminate unexpectedly.

96908

Logs

Task logs are now finalized only after all log entries are written, ensuring complete log retrieval.

97358

Logs

Usernames longer than 31 characters are now fully preserved in task and system log messages.

97588

Web Admin

The deprecated 3DES encryption algorithm is no longer shown as FIPS compliant for ASx hosts.

98193

Server

Zip file expansion now correctly preserves filenames containing extended ASCII characters.

98351

POP3

POP3 attachment handling has been improved to correctly process multipart boundaries with additional attributes.

98847

SFTP

SFTP timestamp handling is now consistent across upgrades, preventing unintended file re-transfers that occurred in some cases when the Collect Only New option was enabled.

98931

Install

The installer now prompts with the configured custom Windows service account during upgrades instead of the default moveitsvc account.

99497

Reports

The File Activity report now handles larger numeric data in a more suitable way, preventing confusing numeric conversions.

100330

Server

File deletion now respects the Secure Delete configuration and does not perform secure deletes when the setting is disabled.

100386

SFTP

The SFTP host connection test now honors the configured compression settings.

100451

Install

The out-of-date installer documentation link for SQL Server TLS guidance has been removed.

100853

SharePoint

The SharePoint PUT script now uploads complete file contents for all supported file types.

100950

Server

Password encryption and decryption logic has been updated to increase buffer limitations, allowing larger passwords to be used.

101151

Security, Server

CVE-2026-8485: Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation.

101152

Security, Endpoints, Server

CVE-2026-8486: Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation.

101153

Security

CVE-2026-8487: Incorrect default permissions vulnerability in Progress Software MOVEit Automation.

101156

Security, Server

CVE-2026-8488: Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation.

101447

Web Admin

The Back to Task Runs label on the Task view now displays correctly after navigating from the Task Run report.

101550

Install, Security

Web Admin certificates are now generated using the host machine name instead of localhost.

101565

Security

Content-Disposition header handling has been hardened to prevent header injection.

103082

PGP

Exporting PGP keys now generates a corresponding audit log entry.

103818

HTTPS

Public key requests from the Server to Web Admin now correctly ignore environment‑level proxy settings, preventing connection issues.

99804, 101036, 101192, 101193, 101302, 101612, 102638, 103210, 103555

Security, Web Admin, Server, Database

Multiple third-party components used by MOVEit Automation have been updated to newer supported versions, including Spring Framework and Spring Security, Spring Boot, OpenSSL, Tomcat, OpenJDK, libcurl, MySQL, Bouncy Castle, and selected JavaScript libraries. These updates improve overall security and prevent potential vulnerabilities.