In this article
About this release
On May 13, 2026, we released version 4.2.5 of Segura® Platform. The release includes 18 changes across 6 modules.
- Release date: 2026-05-13
- Patch: segura | v4.2.5-1
For information on how to update Segura® Platform, see Update Segura®.
Release highlights
Simultaneous JIT Access
Version 4.2.5 introduces support for simultaneous Just-in-Time (JIT) access executions.
Previously, only one active JIT session per credential was allowed at a time, creating operational limitations in environments requiring concurrent privileged access.
What's new
- Multiple users can now request JIT access simultaneously using the same base credential.
- Independent ephemeral account creation per request.
- Configurable limit for concurrent sessions.
- Dedicated audit reporting for each JIT grant.
How it works

To provide flexibility for different operational scenarios, a configurable system parameter now controls the maximum number of simultaneous JIT sessions per credential.
How session limits work
- The platform administrator can define the maximum number of concurrent JIT sessions allowed for a credential.
- The limit applies only to credentials configured in Creation/deletion mode.
- Each active grant counts as an independent concurrent session.
Creation/deletion mode
- Each requester receives a unique ephemeral account.
- Sessions operate independently.
- Each access maintains:
- Individual expiration.
- Approval flow.
- Audit trail.
Customer impact
This enhancement eliminates the need to duplicate credentials for parallel operations and significantly improves operational scalability.
Organizations can now support scenarios such as:
- Incident response.
- Parallel support operations.
- Critical maintenance windows.
- Simultaneous administrative activities.
While maintaining full auditability and access isolation.
DB Proxy Expansion: SSL/TLS Support for Cloud PostgreSQL
Version 4.2.5 expands PostgreSQL DB Proxy capabilities, adding support for per-device SSL/TLS certificate configuration in Cloud database environments.
This enhancement enables compatibility with managed PostgreSQL environments hosted by providers such as:
- AWS.
- Microsoft Azure.
- Oracle Cloud Infrastructure (OCI).
What's new
- New Certificate section in device connectivity settings.
- Upload of certificate and private key per device.
- Secure and encrypted storage for certificates and private keys.
Customer impact
This enhancement expands DB Proxy compatibility with Cloud-managed PostgreSQL services, allowing organizations to adopt modern architectures without sacrificing centralized privileged access control.
Benefits include
- Support for SSL/TLS requirements enforced by Cloud providers.
- Greater compatibility with managed PostgreSQL environments.
- Better alignment with hybrid and multi-cloud architectures.
Changelog
API
Fixed
| Item | Description |
|---|---|
| SSGR-8466 | Fixed an issue in A2A that prevented the correct display of the credential ID in the application authorization view. |
| SSGR-10389 | Fixed an issue where the /api/pam/credential endpoint did not return personal credentials in search results, even when the query was performed by the same API user that created them. |
DevOps Secret Manager
Fixed
| Item | Description |
|---|---|
| SSGR-5843 | Fixed an issue where the API failed to return the environment parameter when it contained special characters. |
| SSGR-10323 | Fixed an issue where the error 500 was displayed when accessing the Secrets Management dashboard. |
Executions
Fixed
| Item | Description |
|---|---|
| SSGR-10242 | Fixed an intermittent issue in PostgreSQL credential password changes that caused random failures during the initial connection to the database. The password rotation process now completes correctly even in scenarios involving transient connection failures. |
| SSGR-10573 | Fixed an issue where a cURL template used to rotate passwords across two Segura® Platform clusters was not executed correctly, preventing both cluster passwords from being rotated. |
Framework
Changed
| Item | Description |
|---|---|
| SSGR-8502 | Improved the flexibility in controlling MFA policies, so that administrators can manage the Authenticator Apps (TOTP) method as a configurable provider on the Settings > MFA > Providers screen. Administrators can now enable or disable the method to centralize policy enforcement, with protection mechanisms that prevent system lockup. See the documentation: - How to manage a multi-factor authentication (MFA) provider. - How to register authenticator applications for multi-factor authentication. - MFA providers. |
Fixed
| Item | Description |
|---|---|
| SSGR-9911 | Fixed an issue in the web interface authentication flow where configuring an invalid value in the minutes to expire session field under Settings > Security policies and network > Authentication security > User accounts maintenance caused login failures with an HTTP 500 response. |
| SSGR-10563 | Fixed an issue where the Segura® Platform task executor would stop processing asynchronous tasks, leaving them pending and requiring manual restart of the service to resume the operation. |
PAM Core
Added
| Item | Description |
|---|---|
| SSGR-9857 | Added a new Certificate section under the Connectivities tab on the Add/Edit Device screen, allowing administrators to upload a certificate and private key to enable TLS/SSL authentication for DB Proxy connections to PostgreSQL databases. |
Changed
| Item | Description |
|---|---|
| SSGR-9891 | Added support for simultaneous JIT access for the same credential in the Credential creation and deletion mode. With this enhancement, multiple users can use the same base credential in parallel, each receiving their own independent ephemeral account, with session isolation, individual auditing, and a separate expiration time per user. See the documentation: How to provision JIT local Windows accounts with Kerberos via Ansible. |
Fixed
| Item | Description |
|---|---|
| SSGR-10049 | Fixed an issue in the PAM Core > Dashboards > Threat radar screen where clicking on an open session would not correctly display the livestream, showing squares in the upper-left corner. |
| SSGR-10211 | Fixed an issue where access policies reprocessing was not executed correctly after the first run. |
| SSGR-10276 | Fixed an issue in VNC sessions that affected rendering and interaction with the remote device. |
| SSGR-10562 | Fixed an issue where, for invalid credentials, rotation requests generated two executions with the same ID (one marked as successful and the other as an error), resulting in a false positive success in logs. |
| SSGR-8260 | Corrected the translation for the import log message on the PAM Core > Devices > Batch import > Batch import details screen when importing a spreadsheet with an empty field. Now, the message is displayed according to the language selected by the user. |
Proxy
Fixed
| Item | Description |
|---|---|
| SSGR-10382 | Fixed a compatibility issue in the Proxy on SaaS Multitenant environments that prevented SSH connections to devices requiring legacy key exchange algorithms, ensuring that connections are established correctly through Web Proxy and Terminal Proxy. |
| SSGR-10430 | Fixed an issue where sessions could take longer than expected to start. |