25.3.6

What's Changed

** Please take note that we utilize the new ascender-operator for this install, please ensure you update the installer to the latest git pull **

Notable Items

• Fix missing exception catch in create_partition by @Klaas- in #291
• Swap to using Inter fonts in #295
• Resolve highlighted Job Output being lost when scrolling in #296
• Resolve issue where highlighting Job Output text can cause the event popup in #298
• Resolve issue where Elapsed Timer doesn't start on Launch in #299
• Migrate from axios to native Fetch in #287
• Clean up some tests, resolve some deprecation warnings in #290

Upstream Patches

• Upstream 16366 - avoid delete in loop in inventory import in #281
• Upstream 16340 - NameError in wsrelay when JSON decode fails with DEB… in #282
• Upstream 16344 - Do not ignore errors on activity stream connection in #283
• Upstream 16346 - Delete unused contains method in #284
• Upstream 16013 - Remove deprecated custom virtual environment feature in #256

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade aiohttp to resolve CVE-2026-22815 CVE-2026-34513 CVE-2026-34514 CVE-2026-34515 CVE-2026-34516 CVE-2026-34517 CVE-2026-34518 CVE-2026-34519 CVE-2026-34520 CVE-2026-34525 in #288
• Upgrade brace-expansion to resolve CVE-2026-33750 in #277
• Upgrade cryptography to resolve CVE-2026-34073 in #278
• Upgrade cryptography to resolve CVE-2026-39892 in #294
• Upgrade docs site requirements to resolve CVE-2026-25645 in #276
• Upgrade Django to resolve CVE-2026-3902 CVE-2026-33034 CVE-2026-33033 CVE-2026-4292 CVE-2026-4277 in #293
• Upgrade dynaconf to resolve CVE-2026-33154 in #270
• Upgrade flatted to resolve CVE-2026-32141 in #268
• Upgrade flatted to resolve CVE-2026-33228 in #272
• Upgrade lodash / lodash-es to resolve CVE-2026-4800 CVE-2026-2950 in #289
• Upgrade picomatch to resolve CVE-2026-33671 CVE-2026-33672 in #274
• Upgrade pyasn1 to resolve CVE-2026-30922 in #269
• Upgrade pygments to resolve CVE-2026-4539 in #280
• Upgrade PyJWT to resolve CVE-2026-32597 in #266
• Upgrade pyOpenSSL to resolve CVE-2026-27448 in #267
• Upgrade requests to resolve CVE-2026-25645 in #273
• Upgrade yaml to resolve CVE-2026-33532 in #275

Full Changelog: 25.3.5...25.3.6

25.3.5

What's Changed

** Please take note that we utilize the new ascender-operator for this install, please ensure you update the installer to the latest git pull **

Notable Items

• Add python social Azure Tenant based auth by @Klaas- in #238
• Add github_app credential adapted from awx-plugins by @Klaas- in #239
• Make githubapp private key storable in other credential sources by @Klaas- in #240
• Fix datetime error when downloading the Instance Bundle by @mcowser in #264

Upstream Patches

• Upstream 15338 - Remove archaic monkey patches in #246
• Upstream 15964 - Fix duplicate metrics in AWX subsystem_metrics in #252
• Upstream 16074 - Validate max_length for scm_branch in #243
• Upstream 16104 - Fix Grafana notification bug in #254
• Upstream 16119 - Make project and private data directories in #251
• Upstream 16120 - Gracefully handle hostname change in metrics code in #250
• Upstream 16173 - add force flag to refspec in #249
• Upstream 16179 - Sanitize SSH key whitespace to prevent validation errors in #245
• Upstream 16230 - remove artifacts from list endpoint in #248
• Upstream 16257 - Harden log message output containing user input in #244
• Upstream 16261 - improve Reliability Rating in #247
• Upstream 16289 - Do not add optional survey fields with empty strings in #242

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade bfj (to remove jsonpath) to resolve CVE-2026-1615 in #237
• Upgrade django to resolve CVE-2026-25673 & CVE-2026-25674 in #257
• Upgrade dompurify to resolve CVE-2025-15599 in #258
• Upgrade dompurify to resolve CVE-2026-0540 in #261
• Upgrade jest to remove @tootallnate/once to resolve CVE-2026-3449 in #260
• Upgrade Markdown to resolve CVE-2025-69534 in #262
• Upgrade minimatch to resolve CVE-2026-26996 in #236
• Upgrade minimatch to resolve CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 in #241
• Upgrade qs to resolve CVE-2026-2391 in #235
• Upgrade Rollup to resolve CVE-2026-27606 in #241
• Upgrade svgo to resolve CVE-2026-29074 in #259

New Contributors

• @Klaas- made their first contribution in #238
• @mcowser made their first contribution in #264

Full Changelog: 25.3.4...25.3.5

25.3.4

What's Changed

** Please take note that we utilize a new operator for this install, please ensure you update the installer to the latest git pull **

• Fix decrecation warning in project syncs in #230

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade axios to resolve CVE-2026-25639 in #232
• Upgrade brace-expansion to resolve GHSA-7h2j-956f-4vf2 in #228
• Upgrade cryptography to resolve CVE-2026-26007 in #234
• Upgrade django to resolve multiple CVEs CVE-2025-13473 CVE-2025-14550 CVE-2026-1285 CVE-2026-1207 CVE-2026-1287 CVE-2026-1312 in #229
• Upgrade jsonpath to resolve CVE-2025-61140 in #231
• Upgrade pip to resolve CVE-2026-1703 in #233

Full Changelog: 25.3.3...25.3.4

25.3.3

What's Changed

** Please take note that we utilize a new operator for this install, please ensure you update the installer to the latest git pull **

• Add contributor docs for docker in #210
• Resolve issue with intermittent access to Patternfly assets in #211
• Fix translation of Launch Title in #213 #214
• Add the pull policy to the Execution Environment Display in #220
• Migrate from coreapi to drf_spectacular in #226
• Migrate to Python 3.12 in #225 derived from Upstream #16208 #16215
• Remove requirement for Galaxy Credentials to belong to an Org in #224 derived from Upstream #16075 #16077

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade aiohttp to resolve lots of CVEs CVE-2025-69223 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226 CVE-2025-69227 CVE-2025-69228 CVE-2025-69229 CVE-2025-69230 in #212
• Upgrade azure-core to resolve CVE-2026-21226 in #218
• Update filelock to resolve CVE-2026-22701 in #217
• Update lodash to resolve CVE-2025-13465 in #222
• Upgrade pyasn1 to resolve CVE-2026-23490 in #219
• Upgrade qs to resolve CVE-2025-15284 in #209
• Upgrade urllib3 to resolve CVE-2026-21441 in #215
• Upgrade urllib3 to resolve CVE-2026-21441 in #216
• Upgrade wheel to resolve CVE-2026-24049 in #223

Full Changelog: 25.3.2...25.3.3

25.3.2

What's Changed

** Please take note that we utilize a new operator for this install, please ensure you update the installer to the latest git pull **

• Migrate from Redis 7 to Valkey 9 in #200
• Migrate back to rockylinux:9-minimal now that it is being updated regularly in #199
• Resolve issue with mass deleting templates and workflows in #202
• Fix dummy data generator in #201
• Hide the SSH Password text that is displayed on every playbook run in #203
• Move prompt steps inline to resolve issues with lingui marco in #204
• Fix __pycache__ directory removal in clean target - Upstream ansible/awx#16196 in #197
• Cache dashboard query - Upstream ansible/awx#16165 in #198

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Redis 7 container's base os wasn't being updated upstream and had 4 Critical and multiple other Vulnerabilities, so we migrated to Valkey
• Upgrade sqlparse to 0.5.4 in #196
• Update filelock to resolve CVE-2025-68146 in #205

Full Changelog: 25.3.1...25.3.2

25.3.1

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade Django to 5.2.9 to resolve CVE-2025-13372 CVE-2025-64460 in #194
• Upgrade urllib3 to 2.6.0 to resolve CVE-2025-66471 CVE-2025-66418 in #195

Full Changelog: 25.3.0...25.3.1

25.3.0

What's Changed

• Upgrade to Django v5 in #187
• Fix logic in isAuthenticated in #180
• Fix f-string in log that is broken (Upstream 16132) in #179
• Remove unused additional containers (splunk, grafana, etc...) in #184
• Remove dependency on django-crum, move to native threading. in #186
• Fix using the Ascender controller as an Inventory Source in #192
• Fix some translation issues causing text not to display in #193
• Removed options to disable gradient and custom header logo in #193
• Add better Source Var defaults for some Inventory Sources in #193
• Fix a UI caching issue when selecting Role permissions in #193
• Re-added Satellite credential in #191

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Update django to resolve CVE-2025-59681 in #175
• Update django to resolve CVE-2025-64459 CVE-2025-64458 in #182
• Upgrade to pip 25.3 to resolve CVE-2025-8869 in #183
• Update glob / js-yaml to resolve CVE-2025-64756 & CVE-2025-64718 in #185
• Update node-forge to resolve CVE-2025-12816, CVE-2025-66031, CVE-2025-66030 in #190
• Update social-auth-app-django to resolve CVE-2025-61783 in #187

Full Changelog: 25.2.0...25.3.0

25.2.0

What's Changed

• Add option for enabling Ansible 2.9 Collections variable
• Fix all links to external documentation
• Fix API JavaScript expansion icon. size() is long deprecated and removed
• Fix some web-socket issues and memory leaks in asyncs
• Migrate off react-script
• Notebook 7 breaks currently implementation of Jupyter, so downgrade it
• Pin django-ansible-base as last commit breaks migrations
• Re-import docs from Upstream 24.6.1 repo
• Remove alert modal if custom login settings can't be fetched
• Swap to alpine node image for UI
• Upgrade receptor to latest version
• Upgrade to latest Node 20 LTS
• (Upstream) Fix maintain order of insertions into m2m relationship tables
• (Upstream) Setting with ANSIBLE_BASE_ prefix does not need to be added to ENV var for job execution

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade aiohttp to resolve CVE-2025-53643
• Upgrade axios to resolve CVE-2025-58754
• Upgrade django, more work was done on CVE-2025-48432
• Upgrade django again to resolve CVE-2025-57833
• Upgrade esbuild to resolve GHSA-67mh-4wv8-2f99
• Upgrade form-data to resolve CVE-2025-7783
• Upgrade on-headers to resolve CVE-2025-7339
• Upgrade kibana, etc... images to latest
• Upgrade tmp to resolve CVE-2025-54798
• Remove @cypress/instrument-cra to resolve CVE-2017-16137
• Migrate to Lingui v5 to resolve multiple CVEs
• Migrate to webpack-dev-server v5 to resolve CVE-2025-30360 CVE-2025-30359 (DEV BUILD ONLY)
• Misc Npm updates (dependencies of dependencies) to resolve multiple CVEs

Full Changelog: 25.1.0...25.2.0

25.1.0

What's Changed

• Adding toast handler to fix errors when using list approve or deny buttons
• Address first_found skip bug in Ansible 2.16
• Add Labels listing to start using Labels as pseudo-folders for Templates
• Allow Menu Header logo to be customized
• Allow Menu gradient to be disabled
• Database deadlock by awx_callback_receiver_worker and awx_dispatcher_worker
• Facts are unintentionally deleted when the inventory is modified during a job execution
• Fix issue with saving System Settings when using local overrides
• Fix 404 error when logging in
• Fix issue on notifications when viewing a notification for a webhook
• Fix notification name search
• Fix instance peering pagination
• Resolve multiple warnings during build process
• Send job_lifecycle logs to external loggers
• Update to Python 3.11

Security Fixes

• Updated python / npm dependencies to resolve multiple CVEs.

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Migrate to Lingui v4 to resolve CVE-2024-21528
• Upgrade aiohttp to resolve CVE-2024-52304
• Upgrade azure-identity to resolve CVE-2024-35255
• Upgrade brace-expansion to resolve CVE-2025-5889
• Upgrade django to resolve CVE-2025-48432, CVE-2025-32873, CVE-2024-53908
• Upgrade http-proxy-middleware to resolve CVE-2025-32996, CVE-2025-32997, CVE-2024-21536
• Upgrade jinja2 to resolve CVE-2024-56326, CVE-2024-56201
• Upgrade pip to resolve CVE-2023-5752
• Upgrade requests to resolve CVE-2024-47081
• Upgrade setuptools to resolve CVE-2025-47273, CVE-2024-6345
• Upgrade path-to-regexp to resolve CVE-2024-52798
• Upgrade nanoid to resolve CVE-2024-55565,
• Upgrade cross-spawn to resolve CVE-2024-21538,
• Upgrade express to resolve CVE-2024-47764

Full Changelog: 25.0.0...25.1.0

25.0.0

What's Changed

Notable Items

• Official support for Ascender Ledger Pro 1.0. This release is certified to work with the upcoming Ascender Ledger Pro 1.0 release.
• Fix long standing bug where systems with more than 1500 packages would fail to upload data to Ledger due to rsyslog protocol limitations.
• Support for Same Site Cookies to support secure connectivity.
• Fix multiple framework CVE's and deprecation's as documented below.
• Adding the Install UUID to all External Logging to uniquely identify Ascender servers inside of an Ascender Ledger Pro install.
• Forwarding of bearer token Authorization headers when Externally logging to Ascender Ledger Pro.

Upstream Patches

• Commits pulled from upstream minus a few minor changes as we are on an older version of python (utilize
  importlib_metadata instead of importlib.metadata)
  Upstream
  ansible/awx@e68370f
  ansible/awx@3edaaeb
• Add option for SAMESITE:
  Resolves #48
  Patch from Upstream -> ansible/awx#15100

Other

• Migrate away from pkg_resources as it's deprecated -> This resolves the pkg_resources deprecation warnings.
• Move to using an image mirror
• Replace the deprecated usage of "docker-compose" with "docker compose"
• Updates rsyslog to use the imptcp input module over the legacy socket input module. It does this to avoid Messages with too long errors (Errno 90) that occur with large packet sizes. Fixes [https://github.com//issues/51]
• Add Install UUID and URL to log data

Security Fixes

• CVE-2024-11831
• CVE-2025-26699
• CVE-2025-27516
• CVE-2025-27789
• CVE-2025-26699
• CVE-2025-27516
• CVE-2025-27152
• CVE-2024-12797
• CVE-2025-26791

Full Changelog: 24.0.4...25.0.0