Fixed Issues in 2026
- Last Updated: May 21, 2026
- 1 minute read
- MOVEit Transfer
- Version 2026
- Documentation
This section outlines issues tracked and fixed by the MOVEit product team
for the 2026 release.
Note: See the What's New section for a broader summary of
features and improvements.
|
ID |
Category |
Fixed Issue |
|---|---|---|
| 30142 | AV/DLP | Added capability to disable AV for specific org |
| 5982 | WebUI | Fixed issue where invalid password change code error references old link. |
| 60325 | API | Fixed issue where long-running uploads in.NET API might fail due to unintended request timeout. |
| 71991 | Folders, WebUI | Fixed issue where folder name containing spaces is not displayed correctly in email notification when a folder is shared with a user. |
| 83005 | Upgrade, Certificate | Resolved issue where upgrade to 2024.0 or newer breakes CA Signing Cert creation or deletion added before 2020.1. |
| 87088 | Security, HTTP | Improved server security by adding missing security headers to address findings from a recent penetration test. |
| 87808 | Uploader, WebUI | Fixed issue where files uploaded by sysadmin were routed to wrong organization’s folder. |
| 89081 | User auth, LDAP | Resolved issue that could allow externally authenticated users to retain access after deactivation. |
| 89123 | Ad Hoc, Scheme | Resolved authorization control issue to improve overall system security. |
| 89253 | Audit Log | Fixed incorrect action reported after updating user details for accounts with empty email addresses and email‑based MFA. |
| 90775 | Encryption Key API | Fixed issue where switching from org admin to sysadmin required re-authentication before key rotation became accessible. |
| 91040 | WebUI | Fixed issue where filenames were not displayed in file‑not‑downloaded notification emails. |
| 92050 | Utilities | Fixed Sysadmin reset issue for case where the admin changed the MySQL MOVEit user password. |
| 94684 | AS2, Folders | Fixed issue that prevented admins from adding new AS2 subfolders. |
| 96820 | Certificate, Security | Improved certificate generation during installation to address security compliance. |
| 97398 | Lockouts, Security | Improved IP lockout handling to prevent unintended access issues for authorized users. |
| 97450 | SSO, SAML, WebUI | Fixed issue where the signon page failed to display a confirmation message after a full IdP logout. |
| 97524 | Settings (sysadmin) | Fixed issue where saving SMTP configuration unintentionally cleared the Email Parameter fields. |
| 98336 | SSH, Security | Resolved issue where SSH key attempts were logged even when SSH access was disabled. |
| 98527 | Settings, WebUI | Fixed issue where the WebUI allowed saving email settings without required email addresses. |
| 98528 | Settings (sysadmin) | Corrected the masking character used for the Client Secret field in both the web UI and Config Utility. |
| 98920 | Downloads, Live View | Fixed issue with Live View where downloads can seem stuck indefinitely and display as Stalled. |
| 99494 | Logging | Fixed issue where upload and download operations sporadically showed a missing or zero transfer rate in the logs. |
| 99897 | Ad Hoc, Security | Fixed issue where Subject and Sender Fields are Editable in File Request Response. |
| 100398 | SMTP, Utilities | Increased buffer size for encrypted password handling |
| 100909 | Utilities | Fixed issue where ConsistencyCheck crashes if a duplicate file ID is found in the file system. |
| 100990 | Security, HTTP | Updated Axios dependency to 1.15. |
| 100991 | Security | Updated qs dependency to 6.14.5. |
| 101048 | Uploader, Security | CVE-2026-8801: Fixed an issue that could allow file extension restrictions to be bypassed. |
| 101077 | User auth, REST | Improved return output for duplicate SSH key scenario. |
| 101107 | Utilities, DMZRestore | Added option to DMZBackup utility for large database backups. |
| 101204, 101205, 101206, 103033 | WebUI Security | Updated parser and text input dependencies. |
| 101299 | AV/DLP | Fixed issue where updating DLP or AV scanner settings (enable/disable, block/allow) does not affect users without logout or cache clear. |
| 102887 | User auth, REST, Security | Fixed potential inconsistancy for session tracking of an authenticated user. |
| 102999 | SSH, User auth, Security | Improved 2FA authentication handling for SFTP session. |
| 103059 | SFTP | Optimized SFTP service garbage collection for less perceived latency. |
| 103199 | Database, MySQL, Installer | Updated MySQL dependency to 9.7.0. |
| 103420 | Security, SMTP notifications | Updated MailKit dependency to 4.16.0. |
| 103477 | Reports, Security | CVE-2026-8649: Fixed issue with scoping of custom report results. |
| 103614 | SFTP, Security | Updated SFTP dependencies with better memory and connection management. |
| 103627 | Settings (org) Security | CVE-2026-8650: Fixed issue that could allow MOVEit admins to view system file contents. |
| 103628 | Users, Security | CVE-2026-8800: Fixed an issue that could allow an Audit User to view external token metadata in other orgs. |
| 103629 | WebUI, Security | CVE-2026-8651: Fixed issue with IP resolution when accessing the machine interface. |