Release LoadGen Api, Appliance and MCP Server: 1.0.0.11919

LoadGen General

• Qualys May-2026 security remediation. This release clears five Qualys findings and one HIGH GHSA advisory across the appliance image, the Appliance Agent, and the API/MCP Server containers. The fixes ship through the appliance image so freshly-built appliances inherit them on first boot, and through an Appliance Agent migration that retro-fits already-deployed appliances on the next agent restart. A reboot is never forced by the agent — it raises a reboot-required flag the operator can act on at a quiet moment so in-flight monitoring runs and uptime check loops aren't killed mid-cycle. Findings cleared: three kernel-module CVEs (Dirty Frag / Fragnesia), one kernel ptrace dumpability CVE, the .NET 8.0.26 → 8.0.27 patch level, and the Scriban template-engine DoS (GHSA-24c8-4792-22hx, CVSS 8.7) used by API Testing — covered in the per-section bullets below.

LoadGen Api

• [#8786] Fixed the Operation dropdown on the Flow Editor coming up empty for sources imported from OpenAPI 3.1 specs that the parser couldn't safely round-trip (the mailcow case was the headline reproducer). The picker now serves the operation list directly from a cached index populated at import time, and pre-existing legacy versions self-heal on the first picker open. When the spec can't be re-fetched or has changed at the source since import, the wizard now shows an actionable toast (re-import this source) instead of silently showing zero suggestions.
• [#8776] Added the API side of the WebHeader uptime check wizard's Retrieve Headers affordance: the wizard can now run the same authenticated HTTP probe a scheduled WebHeader check would run and show the live response headers inline before the check is saved. Auth (Basic / Bearer / ApiKey / CustomHeaders) is honoured exactly as a live check would honour it, and transport failures (DNS, connection refused, TLS handshake, timeout) come back as a readable error message the wizard shows inline.
• [#8708] Fixed Send Test Email failing with SMTP 5.7.1 ... Client host rejected: Access denied when re-testing a saved Mail Account in Configuration → Notification Accounts → Mail Accounts without re-typing the password. The test-connection and send-test-email endpoints now accept an optional account id and, when no fresh password is supplied inline, substitute the stored credential server-side. Fresh keystrokes still take precedence, so the create-flow probe (with no saved account yet) works exactly as before.
• [#8790] A fresh appliance now provisions a default API Testing datasource (LoadGen-ApiTesting-Json) as part of the "Create default datasources" step alongside the existing InfluxDB defaults (Testing, Monitoring, Insight, UptimeMonitoring, SessionSight). The API Testing module is functional out-of-the-box without manual datasource setup — matching the zero-touch behavior of every other module. The provisioning step is idempotent and won't touch an operator-renamed entry with the same name.
• API Testing observability — structured debug and failure logging across the API Testing surface. When debug logging is enabled on an appliance, operators can now follow an API Testing flow run end-to-end — from the incoming run request, through execution of each node, to the storage decision and the live UI update — and any failure mid-path emits a Warning or Error at the point of decision with the IDs needed to correlate (flow / run / node / source / version / environment, plus URL / status / duration). At the default Information level there are no new log lines, so steady-state cost is zero. Failures that were previously silent — corrupt files in the storage backend, source-poll skips, exceptions that were swallowed or collapsed into a single generic failure, and error responses returned without a log — are now visible and grouped by exception type and failure kind, which makes them filterable in Loki / Elasticsearch without parsing free text.
• [#8780] API Flow wizard's Add Source now accepts OpenAPI 3.1 specs in both JSON and YAML, and a new file-upload affordance lets operators ingest specs from platforms that don't publish them on a polling-friendly URL (Authentik, Mailcow, Immich). The OpenAPI parser is upgraded to support 3.1 documents natively (the old library couldn't), and sources can now be marked as manual-upload only so the background poller skips them. Uploaded spec files (10 MB cap) flow through the same parse and versioning pipeline as URL-fetched specs, so both paths behave identically. The customer-facing /swagger/index.html documentation surface continues to render under the same UI.
• [#8782] Fixed the API Flow wizard's Detect button returning "Could not find an OpenAPI spec at the given URL or its common sub-paths" against valid OpenAPI JSON endpoints (Authentik and Immich were the reproducers). Detect previously read the result before the background spec fetch had run — so every first-time detect failed with a generic message, regardless of whether the spec was valid. Detect now validates the source in a single synchronous round trip and reports the real result (success with operation count, or the actual fetch / parse error inline). The Sources page Refresh now button keeps its existing background-refresh behavior.
• [#8719] Added an Edit action for appliance users so granting or revoking sudo no longer requires SSH-ing in to run usermod -aG sudo by hand. The edit covers sudo membership today (with room for shell / expiry / groups later) and reports the post-change state back so the row refreshes without a second round trip. The operation is idempotent — re-issuing the same state is a no-op and doesn't pollute the audit log.
• [#8730] Two API extensions on the Alert Profiles surface so the operator can see at a glance which Uptime checks are linked to a given profile and bulk-assign a profile to many checks at once. The Uptime checks summary now carries the linked alert-profile ids per check so the Profiles page can render the "N checks linked" chip from a single round trip. The new bulk-assign takes a list of check ids and links them to the profile with additive merge semantics (a buggy client can't strip pre-existing linkages), is idempotent, and reports per-check successes / already-linked / failures so a single bad id doesn't sink the batch.
• [#8731] Fixed the Alert Profile picker on Step 6 of the Uptime Check wizard not persisting — picking a profile, saving, and reopening the check showed "Select an alert profile..." again, and the Step 10 Summary always showed defaults regardless of which profile was picked. The Uptime check definition now persists the selected alert profiles (multi-select, mirroring the Monitoring side), and the alert evaluator applies a two-tier rule: when one or more profiles are linked it intersects them with the enabled set; when the list is empty it falls back to "all enabled Uptime-scope profiles" so legacy checks keep firing exactly as before.
• [#8758] Fixed the DnsAuthority uptime check wizard showing a false-positive amber banner on Step 10 reading "These fields will be ignored at execution time" whenever the operator filled in the Specific authoritative server field — the wizard's Save then appeared to hang. The check-type capability metadata now correctly declares the field as applicable for DnsAuthority (the executor actually requires it), so the wizard's pre-save check stops flagging it.
• [#8774] Fixed PowerShell uptime check Test Request failing instantly with Script ... is in the cache index but its content is not available on the very first Test click of a freshly-authored script. The API now sends the script body inline alongside the test request so the worker doesn't have to wait for its cache to warm — production scheduled checks continue to flow through the cache exactly as before, so the change is scoped to the wizard test path.
• [#8736] DnsResolve uptime checks can now be pinned at a specific resolver (e.g. an internal AdGuard at 192.168.1.150) via optional Custom DNS server and Port parameters in the wizard's Check options, rather than always using the appliance's OS resolver. Blank / missing values fall through to the existing behavior byte-identical to today. v1 is A-record only; the existing expected-IP assertion logic is unchanged.
• [#8773] Added a way to manually close an Uptime incident: a new POST /uptime/incidents/{id}/resolve endpoint marks an incident as resolved with resolution=Manual. The endpoint refuses to overwrite a previously resolved incident (whether closed automatically or manually), and a manual close survives subsequent successful probes (the auto-recovery path doesn't reopen and re-close it). The Incidents page refreshes in place exactly as it does when an incident recovers automatically. The Swagger documentation on the resolution enum is tightened so Auto and Manual now accurately describe who sets them.
• [#8724] Fixed the Change Password action on the admin avatar's My Profile menu failing with "The requested resource was not found." The API never shipped the self-service change-password operation the Frontend was wired against — it exists now. The new flow re-verifies the caller's current password first (a wrong password is rejected without revealing whether the user exists), validates the new password against the same ≥ 8-character rule used elsewhere, and writes the change while preserving the user's roles. The admin-style password reset path is unchanged.
• [#8760] Fixed the FTP uptime check rejecting endpoint inputs without an explicit port (ftp.example.com instead of ftp.example.com:21) with a hard "TCP endpoint must be 'host:port'" error, despite the wizard saying "Defaults to port 21 if you omit it." The FTP executor now applies the same colon-less default the SSH (22) and SMTP (25) executors already used. Closes duplicate [#8761].
• [#8674] Added a "pending Resolved-ticket" notification so the header bell can prompt customers to verify and close tickets that LoadGen Support has flipped to Resolved. The notification can be dismissed per ticket or in bulk; dismissals are scoped to the user and persisted, so subsequent logins don't re-pop the same notification. Only tickets the calling user originally submitted are surfaced.
• [#8715] Ticket search in the Support Tickets view now accepts the work-item number you'd reference in daily conversation (8454 or #8454) in addition to the full GUID and the ticket title. The optional leading # is stripped before matching.
• Qualys — Scriban template engine. Upgraded the Scriban template engine used by API Testing's expression engine from 7.0.6 to 7.2.0, clearing GHSA-24c8-4792-22hx (HIGH severity, CVSS 8.7 — a denial-of-service via unbounded resource allocation). The Scriban API surface used by LoadGen is identical between the two versions, so the upgrade is a transparent dependency bump with no behaviour change.
• Qualys — .NET 8.0.27. The API container image picks up .NET 8 runtime 8.0.27 (QID 92390) on the next image rebuild.

LoadGen Appliance

• [#8719] The Appliance Agent ships the user-edit handler behind the central API's new Edit action, so sudo membership can be flipped on existing users without an SSH session. The handler is idempotent (re-issuing the same state runs no shell command and pollutes no audit log) and reports the post-change membership back so the Frontend can refresh inline. Uses gpasswd -d ... sudo for the revoke path (portable across Ubuntu / Debian).
• [#8764] Fixed the ICMP Ping uptime check failing on Step 5 (Validation) and Step 10 (Test Check) with "Ping failed: The system's ping utility could not be found." The appliance image was missing the iputils-ping package — .NET's ping APIs on Linux shell out to /usr/bin/ping, and the binary wasn't installed. Freshly-built appliances now ship with it baked in, and an Appliance Agent migration installs it on already-deployed appliances on the next agent restart. The migration is non-fatal — apt failures log a warning but don't block agent startup.
• [#8705] Fixed Remove on the Infrastructure → Appliance → CA Trust → Installed CA Bundles row producing "Delete failed: Agent returned 400 (Bad Request)" and the bundle staying in the list. A packaging defect kept the delete request from ever reaching the appliance agent, so the agent answered with a generic 400; removing an installed CA bundle now works.
• [#8718] Fixed appliance Create User rejecting usernames containing a dot even though Ubuntu / Debian useradd happily accepts them. The validation now allows dots in addition to dashes and underscores; leading-letter and lowercase-only rules are preserved, and leading-dot usernames are still rejected. The same validation applies to the change-password / lock / unlock / delete paths, so those accept the same usernames.
• [#8710] Fixed the Sign in with button on the login page returning a 404. The appliance's reverse proxy was missing the routing rule for the SSO endpoints, so the sign-in request never reached the API and 404'd. Freshly-built appliances now ship the reverse-proxy rule, and an Appliance Agent migration back-fills the same rule on already-deployed appliances on the next agent restart. The rule covers all four SSO routes (initiate, callback, providers, exchange).
• [#8660] Fixed Grafana and InfluxDB reverting to self-signed certificates after applying a custom certificate via the HTTPS Setup Wizard, and the applied certificate not surviving a reboot. The roll-out previously treated stale self-signed files as already in place; it now checks each target against the applied certificate and overwrites any that don't match — idempotent, no needless writes, and no reverse-proxy reload thrash. Affected appliances self-heal on the next agent restart.
• [#8706] Fixed the Backups page taking ~10 seconds to load when several large archives were present. The listing previously re-computed each archive's SHA-256 hash from the full archive file on every request. New archives now write a small .sha256 sidecar at create time, and the listing path reads that sidecar instead of re-hashing. Archives created before this release self-heal on the first listing after upgrade (paying the old cost once, then sub-second from then on). The sidecar files are invisible to the existing list / restore / delete paths.
• [#8665] Fixed "Failed to change credentials: User 'admin' not found in InfluxDB." on the Services tab Change-Password form. The Appliance Agent's InfluxDB lookups could come back empty on affected appliances because an internally-minted access token was too narrowly scoped; the flow now mints the token with the correct scope and self-heals affected appliances by re-minting the cached token once if the first lookup comes up empty. No docker exec, influxd recovery, or container restart needed. Closes duplicate [#8664].
• Qualys May-2026 kernel and .NET remediation. The appliance image bakes in the fix for five Qualys findings: three Dirty Frag / Fragnesia kernel-module CVEs (mitigated by blacklisting rxrpc, esp4, esp6, ipcomp, ipcomp6 — none used by the appliance), one kernel ptrace dumpability CVE (mitigated by upgrading the kernel and enabling unattended-upgrades so future kernel CVEs land automatically), and the .NET 8.0.26 → 8.0.27 patch level. The Appliance Agent retro-fits already-deployed appliances on the next agent restart via an idempotent migration that writes the module blacklist, refreshes the initramfs, and triggers a one-time apt upgrade. A reboot is required to fully activate the new kernel and blacklist, but is never forced — the agent raises /var/run/loadgen/reboot-required so the infrastructure page can prompt operators to schedule it at a quiet moment. The Ubuntu-side unattended-upgrades wiring means future kernel CVEs land automatically as Ubuntu ships USNs.

LoadGen MCP Server

• Qualys — .NET 8.0.27. The MCP Server container image picks up .NET 8 runtime 8.0.27 (QID 92390) on the next image rebuild.