BeyondInsight and Password Safe 25.1.1.389 (On-Premises only)
5 days ago
Important informationThis update is for On-Premises customers only. Fixes have been automatically applied to all 25.1 Password Safe Cloud deployments.
February 19, 2026
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
🆕 New features
This is a maintenance release. There are no new features.
✨ Enhancements
This is a maintenance release. There are no new enhancements.
🛠️ Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Endpoint Privilege Management | When an EPM agent checks-in, the IP Address for the corresponding Managed System may get reset to 127.0.0.1 | If the EPM agent provides a loopback/127.0.0.1 IP Address, it is ignored by Password Safe. |
| Workforce Passwords Browser Extension | Updating a credential via the browser extension reports successful, however the credential is not updated. | Updates to credentials made from the browser extension are saved properly. |
| Workforce Passwords Browser Extension | Users with MFA configured cannot sign in to the Workforce Passwords Browser Extension. | The Workforce Passwords Browser extension now properly handles logins from users with MFA configured. |
| Public API | Attempting to retrieve a large number of secrets via the GET Secrets-Safe/Secrets API can fail with a timeout. | Increased the default client timeout. |
| Public API | When creating a new Active Directory user via the POST Users AP, the Disable forms login for new directory accounts configuration setting is ignored. | When creating new Active Directory users, the Disable forms login setting is properly applied. |
| API | When you use the Invoke-Restmethod Windows PowerShell cmdlet to modify the permissions on a safe, performing a GET after a PUT results in a protocol violation error. | Corrected API response to align with proper RESTful conventions, which eliminates the protocol violation error in looped GET operations. |
| API | The GET Secrets endpoint defaulted the decrypt parameter to true, when it should default to false, and setting it to false would return a null owner email. | The GET Secrets endpoint now correctly defaults the decrypt parameter to false and returns the owner email in all cases when it’s available. |
| API | When you add an Active Directory user via the API and the Disable forms login where the new directory accounts checkbox is selected, the user setting is not disabled. | The Disable forms login for new directory accounts checkbox works as expected for new Active Directory users created from the API. |
| API | Field length validation discrepancy between POST and PUT public APIs for Text secrets, the PUT endpoint enforced a lower character limit than the POST. | The PUT endpoint has been updated to allow a Text secret with a value of up to 4096 characters, to align with the limit on the POST endpoint. |
| SCIM API | Users created with SCIM API do not adhere to local account TOTP setting defaults. | Updated the SCIM API to adhere to local account TOTP setting defaults. |
| SCIM API | When making a call to retrieve PrivilegedData from the SCIM API, the returned values have the properties defined as Name, Description, and Type. As per the schema, these properties should be all lower case. | The JSON properties are now all in lower case. |
| SCIM API | SCIM PrivilegedData endpoint returned values have capitalized properties instead of lowercase. | Corrected the SCIM API so that calls to the PrivilegedData endpoint returns the properties in all lower case. |
| SAML | SAML login ignores the Enable Group Resync configuration option when user mapping is set to Local and always resyncs the local groups. | Groups are no longer resynced if the Enable Group Resync option is disabled. |
| SAML | When using a SAML configuration that uses Active Directory as the mapping type, if an Active Directory user gets created during a SAML login, that user is missing several user attributes. This includes the domain, email and first/last name, and can cause issues with mapping or attempting to remove the user. | All attribute data is now populated during SAML login. |
| SAML | User permissions may not be properly validated in some Microsoft Entra ID (Azure AD) SAML authentication scenarios. | Improved SAML session handling for Microsoft Entra ID (Azure AD) integrations to ensure user permissions are correctly enforced. |
| Smart Rules | AWS Connector Instance type retrieval and caching is exhibiting problems paging results, resulting in an infinite loop and, eventually, memory exhaustion, and, attempting to save a Smart Rule when the instance types < 1000 results in an error and the Smart Rule does not save. | The AWS Connector Instance type retrieval has been corrected to ensure appropriate execution and use of memory, and when there are more than 1000 instance types, Smart Rule now saves without an error. |
| Smart Rules | Google Cloud Platform (GCP) onboarding Smart Rule has a limit of 100 users. | Added support for onboarding more than 100 users using a Managed Account Smart Rule with a Google Cloud Identity Query filter. |
| Smart Rules | In some cases, high system usage is observed during processing of an asset onboarding Smart Rule. | Improved the underlying query performance that contributes to the processing of an asset onboarding Smart Rule. |
| Smart Groups | Using the Workgroup filter and creating a new Quick Rule may not include all items expected. | Corrected the selection process to ensure that all expected items are included. |
| Reporting | In some environments, the Inactive Managed Accounts report times out. | Excluded irrelevant records from the result set, resulting in much faster query execution time and improved report performance. |
| Reporting | The Active Users report only returns records with users that have been active within the last few months. The value in the parameter Used In X Days is not respected. | The Used In X Days report parameter is properly applied. |
| Reporting | When the Password Safe Password And Session Activity report is exported as a CSV, some cells may incorrectly contain line breaks, which causes a row to be split into two incomplete rows. | Line breaks from the Reason field are automatically removed. |
| Event Forwarding | When using a connector that uses the syslog format, the event severity in the priority field is the inverse of what’s expected for syslog events. | Syslog events are now sent with the correct severity. |
| Event Forwarding | Syslog event forwarder no longer sending application audit events. | Corrected the underlying event selection logic to ensure that all application events continue to be forwarded. |
| Mobile App | Secrets are not being properly returned to the mobile app from Secrets Safe personal folders when the user is a member of the Administrators group. | Users who are members of the Administrators group can now access secrets found in their personal folders. |
| Mobile App | An authentication error occurs when attempting to login via the Mobile App using an Active Directory or LDAP user account. | Active Directory and LDAP users can now successfully login via the Mobile App. |
| Sessions | RDP sessions using multiple monitors may encounter an error during session initialization. | RDP sessions with multiple monitors now function as expected. |
| Sessions | Poor performance with large scale datasets in the Completed Sessions Grid. | Made meaningful improvements in the data retrieval to improve performance and reduce grid loading time. |
| Directory Credentials | When using a directory credential with a username formatted as a UPN, directory queries using this credential do not work as expected. | Directory credentials with UPN usernames are now properly handled. |
| Propagation Actions | When trying to run a script propagation action on a managed system that uses a custom port, the propagation action fails. | The port setting on the managed system is now properly handled during propagation actions. |
| Functional Accounts | Local functional accounts on managed systems that have a DNS Name containing a period (.) are not properly tested via the Password Test Agent. | Local functional accounts are now tested properly. |
| Upgrade | In some scenarios, the upgrade to 25.1.0 could fail during the database upgrade if an asset is associated with invalid IP Address data. | The invalid IP Address data is adjusted to the latest data or reset if none exists. |
| Upgrade | Certain data points in existing environments (duplicate entries in Event Table Monitor, smart rules or smart rule criteria or actions with Xen or Risk in the names) could potentially cause a problem with the database upgrade process. | Made the database upgrade process more robust by adding additional safeguards around steps that remove or deactivate deprecated functionality. |
| SSH | SSH connection fails when using a DSS key for the login account | SSH connections now succeed when using a DSS key for the login account. |
| Activation Keys | In some rare cases, the Activation Keys page fails to load. | Improved the hostname resolution reliability to prevent this failure scenario from occurring. |
| BeyondInsight Configuration Utility | Several services were not started on the appliance after clicking Apply or after clicking Start Services in the BeyondInsight Configuration Utility. | The utility was updated to include those service starts in the Apply and Start Services actions. |
| Omni Worker | A large backlog in the Event Forwarding queue can cause the service to stall. | The event forwarding logic has been updated to avoid the stall condition even when the backlog is very large. |
📝 Requirements
- Direct upgrades to 25.1.1 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 25.1.1 supports SQL Server 2016 SP2 or higher.
🗒️ Notes
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: 311d75ac58a9c8d2c75f9197c5000d48
- The SHA-1 signature is: 89dc7fa93be56719a6ad547d6bd51e55ba5eac59
- The SHA-256 signature is: 0f66439537ab9b3a4355e85c32426a24a2e7bcfcb88d8c66a8e71158b5fae45d
