-
Notifications
You must be signed in to change notification settings - Fork 10
BP-2693: Release notes (2026-06-16) #312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
32 commits
Select commit
Hold shift + click to select a range
4cc92ed
wip: initial draft of v9.3.0 release notes
jeff-matthews 98a571c
wip: removed old, mis-tagged issue for PZM
jeff-matthews 82a4b2f
wip: removed old AzureHound fixed issue
jeff-matthews e15ecdd
wip: add no-op stub for AzureHound
jeff-matthews 15f0f77
wip: copyedit jamf api client feature
jeff-matthews 66fc196
chore: moved AzureHound fixed issue to latest release
jeff-matthews d81bcfa
wip: copyedit fixed issue descriptions
jeff-matthews 148d912
wip: copyedit administration enhancements
jeff-matthews bd0200b
wip: add TODOs for enhancements that require supporting doc updates
jeff-matthews 358a025
chore: removed mis-tagged issues
jeff-matthews e7dceca
wip: copyedit full-path highlighting
jeff-matthews f338866
wip: copyedit layout defaults
jeff-matthews 046235c
wip: copyedit layout defaults
jeff-matthews ae7d6cb
wip: minor copyediting
jeff-matthews 1c5cc88
wip: copyedit attack path type names
jeff-matthews 86d62f4
chore: removed previously shipped cypher result layouts enhancement
jeff-matthews 58165c3
wip: copyedit certification statuses
jeff-matthews 728519f
wip: copyedited built-in extensions
jeff-matthews 7b8bac9
wip: added post-processing performance enhancements
jeff-matthews 87eb0af
wip: initial draft of v9.3.0 summary
jeff-matthews 6bd20d4
chore: align summary and v9.3.0 release notes
jeff-matthews 5d58881
fix: broken links
jeff-matthews 53a839b
Merge branch 'release/v9.3.0' into BP-2693-release-notes
jeff-matthews 7216f8c
Merge branch 'release/v9.3.0' into BP-2693-release-notes
jeff-matthews 21502e2
Merge branch 'release/v9.3.0' into BP-2693-release-notes
jeff-matthews e822eac
chore: normalized pre-installed extension terminology
jeff-matthews 4c9729c
style: use title case
jeff-matthews 6ac53ec
Merge branch 'release/v9.3.0' into BP-2693-release-notes
jeff-matthews e312ab4
chore: bump openhound version
jeff-matthews 3bc0266
style: refine headings
jeff-matthews 4684a47
docs: clarify editionavailability for supported extensions
jeff-matthews 1bd3ab4
chore: change enterprise designation
jeff-matthews File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,176 @@ | ||
| --- | ||
| title: 2026-06-16 Release Notes | ||
| description: Learn about new features, enhancements, and fixed issues in BloodHound. | ||
| sidebarTitle: "2026-06-16" | ||
| --- | ||
|
|
||
| | | | | | | | ||
| | --- | --- | --- | --- | --- | | ||
| | **Release** | **BloodHound** | **OpenHound** | **SharpHound** | **AzureHound** | | ||
| | 2026-06-16 | v9.3.0 | v0.2.0 | No release | v2.12.2 | | ||
|
|
||
| <Tip> | ||
| Use the filters on the right side of this page to narrow down the updates by component. You can select multiple filters at the same time to refine your results. | ||
| </Tip> | ||
|
|
||
| <Update label="OpenHound" description="New Feature" tags={["Data Collection"]}> | ||
| {/*BED-8516*/} | ||
| ## Jamf API Client Authentication | ||
|
|
||
| Authenticate the OpenHound Jamf collector with a Jamf Pro API client instead of relying on a Jamf user account and password. | ||
|
|
||
| This update adds support for Jamf [API clients](/openhound/collectors/jamf/collect-data) as the recommended authentication method. API clients are not tied to a user account, can be scoped to a dedicated API role, and can be rotated or revoked independently, making them a better fit for production environments and least-privilege access. | ||
| </Update> | ||
|
|
||
| <Update label="OpenHound" description="New Feature" tags={["Data Collection"]}> | ||
| {/*BED-8357*/} | ||
| ## GitHub Enterprise SSO Support | ||
|
|
||
| Connect OpenHound to GitHub Enterprise environments that enforce single sign-on at the enterprise level. | ||
|
|
||
| This update addresses authentication failures in GitHub Enterprise environments where SSO blocked OpenHound from accessing repositories through the configured GitHub App. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Administration"]}> | ||
| {/*BED-8336*/} | ||
| ## Role-Based Access Hardening | ||
|
|
||
| Read access for the **User**, **Power User**, and **Read-only** roles has been reduced to limit exposure to sensitive user data and administrative API endpoints. | ||
|
|
||
| This update refines the permission model for administration-related APIs so these roles retain access only to the endpoints and data required for their supported workflows. | ||
|
|
||
| For example, these roles can use the [List Users Minimal](/reference/bloodhound-users/list-users-minimal) endpoint to read user data, but cannot access sensitive information through the broader [List Users](/reference/bloodhound-users/list-users) endpoint. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Administration"]}> | ||
| {/*BED-7765*/} | ||
| ## Auditor Access Improvements | ||
|
|
||
| Users with the **Auditor** role can now view the **Manage Users** and **Manage Clients** tables without requiring the permissions needed to create or modify those resources. | ||
|
|
||
| This update adds read-only access to those management views while keeping administrative actions such as **Create User**, **Create Client**, and other modification workflows restricted to the **Admin** role. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Administration"]}> | ||
| {/*BED-7263*/} | ||
| ## Expanded Audit Logging | ||
|
|
||
| [Audit logs](/reference/audit/list-audit-logs) now capture additional high-risk user actions, including running Cypher queries, editing collector clients or schedules, and running on-demand collections. | ||
|
|
||
| This change improves visibility into sensitive operator actions for security reviews and compliance workflows. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Accessibility"]}> | ||
| {/*BED-7226*/} | ||
| ## Accessibility Improvements | ||
|
|
||
| Data tables now provide more accessible headers, sorting behavior, keyboard navigation, and screen reader announcements. | ||
|
|
||
| This update improves table usability across supported browsers and helps align the experience with WCAG 2.1 accessibility requirements. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["API"]}> | ||
| {/*BED-8233, BED-8234*/} | ||
| ## OpenGraph Extension Namespace Visibility | ||
|
|
||
| The [List OpenGraph Extensions Information](/reference/opengraph-experimental/list-opengraph-extensions-information) endpoint now includes each extension's [`namespace`](/opengraph/developer/graph-definition#param-namespace) key in its response body. | ||
|
|
||
| This change gives the API and the [OpenGraph Management](/opengraph/extensions/manage) page the information needed to expose the namespace prefix used for extension-defined node types. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Explore"]}> | ||
| {/*BED-8246*/} | ||
|
|
||
| ## Full-Path Highlighting | ||
|
|
||
| When you select a node in the graph, BloodHound now dims paths that do not traverse the selected node. This includes inbound and outbound object control, making it easier to isolate how a node participates in longer Attack Paths. | ||
|
|
||
| Full-path highlighting is enabled by default. See [Object interaction](/analyze-data/explore/search#object-interaction) for more information. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Post-Processing"]}> | ||
| ## Analysis Performance Improvements | ||
| {/*BED-8361, BED-8362, BED-8363, BED-8364, BED-8365*/} | ||
| Optimized processing logic for the following edge types, significantly reducing time in analysis: | ||
|
|
||
| - [Owns](/resources/edges/owns) | ||
| - [WriteOwner](/resources/edges/write-owner) | ||
| - [EnrollOnBehalfOf](/resources/edges/enroll-on-behalf-of) | ||
| - [ADCSESC1](/resources/edges/adcs-esc1) | ||
| - [ADCSESC3](/resources/edges/adcs-esc3) | ||
| - [ADCSESC4](/resources/edges/adcs-esc4) | ||
| - [ADCSESC6a](/resources/edges/adcs-esc6a) | ||
| - [ADCSESC6b](/resources/edges/adcs-esc6b) | ||
| - [ADCSESC13](/resources/edges/adcs-esc13) | ||
| - [SyncLAPSPassword](/resources/edges/sync-laps-password) | ||
| - [ReadLAPSPassword](/resources/edges/read-laps-password) | ||
| - [DCSync](/resources/edges/dc-sync) | ||
| - [CanRDP](/resources/edges/can-rdp) | ||
| - [AdminTo](/resources/edges/admin-to) | ||
| - [ExecuteDcom](/resources/edges/execute-dcom) | ||
| - [CanPSRemote](/resources/edges/can-ps-remote) | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["OpenGraph"]}> | ||
| {/*BED-8277*/} | ||
| ## Pre-Installed SpecterOps Extensions | ||
|
|
||
| <img src="/assets/enterprise-edition-pill-tag.svg" alt="BloodHound Enterprise logo" style={{ width: "25%" }}/> | ||
|
|
||
| BloodHound Enterprise now includes pre-installed OpenGraph extensions for GitHub, Jamf, and Okta. This streamlines extension management by making these supported extensions available without a separate installation step. | ||
|
|
||
| See [OpenGraph Extensions](/opengraph/extensions/manage) to learn more. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Posture"]}> | ||
| {/*BED-8207*/} | ||
| ## Updated Attack Path Type Names | ||
|
|
||
| <img src="/assets/enterprise-edition-pill-tag.svg" alt="BloodHound Enterprise logo" style={{ width: "25%" }}/> | ||
|
|
||
| The **Attack Paths** table on the **Posture** page now uses Privilege Zones terminology (where appropriate) instead of older **Tier Zero** naming. | ||
|
|
||
| This update keeps Attack Path type names aligned with the latest findings documentation in BloodHound Enterprise. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" description="Enhancement" tags={["Zone Builder"]}> | ||
| {/*BED-8186*/} | ||
| ## Search Across Certification Statuses | ||
|
|
||
| <img src="/assets/enterprise-edition-pill-tag.svg" alt="BloodHound Enterprise logo" style={{ width: "25%" }}/> | ||
|
|
||
| Search for objects across all [certification statuses](/analyze-data/privilege-zones/certification#by-status) in Zone Builder. | ||
|
|
||
| This improvement helps you confirm whether a specific object is already present in a zone without selecting each certification status separately and running multiple searches. | ||
| </Update> | ||
|
|
||
| <Update label="BloodHound" tags={["Fixed Issues"]}> | ||
| ## API | ||
|
|
||
| {/*BED-6775*/} Resolved an issue where the **Composition** and **Relay Target** accordions in the Entity panel did not populate in the following ADCS edges, causing the related node and edge data to appear empty: | ||
| - [CoerceAndRelayNTLMToADCS](/resources/edges/coerce-and-relay-ntlm-to-adcs) | ||
| - [CoerceAndRelayNTLMToSMB](/resources/edges/coerce-and-relay-ntlm-to-smb) | ||
| - [ADCSESC1](/resources/edges/adcs-esc1) | ||
| - [ADCSESC3](/resources/edges/adcs-esc3) | ||
|
|
||
| ## Cypher | ||
|
|
||
| - {/*BED-7759*/} Fixed an issue where editing a saved query while another query was selected displayed the wrong query in the edit box, potentially causing you to overwrite the wrong saved query. | ||
| - {/*BED-8360*/} Fixed a performance issue where reusing Cypher query variables caused queries to run significantly slower instead of making them more restrictive as intended. | ||
|
|
||
| ## Posture | ||
|
|
||
| <img src="/assets/enterprise-edition-pill-tag.svg" alt="BloodHound Enterprise logo" style={{ width: "25%" }}/> | ||
|
|
||
| {/*BED-8392*/} Resolved an issue where enabling **Logarithmic Chart Scale** caused the **Historical Findings** and **Total Attack Paths** charts to go blank. | ||
| </Update> | ||
|
|
||
| <Update label="OpenHound" tags={["Fixed Issues"]}> | ||
| {/*BED-8389*/} Resolved an issue where the the OpenHound Okta collector appeared to connect successfully but returned incomplete data, with relevant Okta-based saved queries returning no results. | ||
| </Update> | ||
|
|
||
| <Update label="AzureHound" tags={["Fixed Issues"]}> | ||
| <img src="/assets/enterprise-edition-pill-tag.svg" alt="BloodHound Enterprise logo" style={{ width: "25%" }}/> | ||
|
|
||
| {/*BED-8176*/} Resolved an issue for hosted `edge-*` AzureHound container images where an invalid collector version string caused BloodHound to reject uploads from the collector as unsupported. | ||
| </Update> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zaton-netizen
Based on my reading of BED-8357, this adds new autogenerated reference docs for GitHub nodes and edges. I haven't run through that process before, but would be happy to do so if someone can show me.
What's less clear is whether this impacts any of the manually maintained configuration docs. Can you please confirm?