Upcoming Releases

IMPORTANT INFORMATION ABOUT THESE PRE-RELEASE NOTES

• These are pre-release notes and are subject to change

• Release notes are not considered final until the close of business on the date of release

• This article will be updated with features, functionality, and bug fixes as our development continues

• If you have any questions about these features or want to request a more in-depth discussion about the best way to leverage them, then reach out to us at productmanagement@axiad.com

May 2026

The availability date for the Browser Extension depends on the browser vendor review process, once the browser extension is available it will be moved to the release section. The release date for other components will be posted as soon as it is defined.

Conductor HI

UCMS 4.31.2, UP 2.26.1

This release introduces globally unique smart-card identification for IDEMIA OCSv8 cards, expands Derived PIV Credential (DPC) issuance with sponsor-device certificate attributes, and lowers the minimum Virtual Smart Card (VSC) PIN length to 6 characters. It also adds an administrator-selectable master key for VSC offline PUK generation, extends AWS CloudHSM v5 support with configurable connection modes, and ships several third-party dependency updates that resolve security findings, alongside targeted bug fixes for Mobile PKI, FIDO, audit logging, DPC workflows, and EJBCA configuration.

Features

PM-18314 – Globally Unique Card Identification (CUUID) for IDEMIA OCSv8

IDEMIA OCSv8 cards can now be identified using CUUID (a globally unique identifier per physical card) instead of the legacy CUID derived from CPLC. Because CUID is not guaranteed to be unique across cards, customers issuing IDEMIA OCSv8 at scale could occasionally encounter collisions during enrollment; CUUID eliminates this class of issue.

A new Legacy Unique Identifier (CUID) checkbox has been added to the OCSv8 Credential Profile configuration:

• For existing Credential Profiles, the checkbox is checked by default — legacy CUID behavior is preserved with no change in behavior.

• For new OCSv8 Credential Profiles, the checkbox is unchecked by default — new enrollments use CUUID.

• The toggle is one-way: once a Credential Profile is saved in CUUID mode, it cannot be reverted to legacy CUID mode.

When CUUID mode is enabled, card-present interactions perform CUUID-first resolution with CUID fallback to preserve compatibility with existing inventory.

PM-17838 – Sponsor Device Certificate Attributes as Mobile PKI Inputs

Administrators can now reference sponsor device certificate attributes in certificate templates used for Mobile PKI Derived PIV Credential (DPC) issuance. Workflow and certificate-template fields (SAN and Subject DN/RDN) accept a new sponsor.<element>.<sub-element>[.<qualifier>][index] syntax that resolves at issuance time from the sponsor device’s certificate.

This unblocks Derived PIV Credential use cases that require the derived PIV Authentication SAN to include the uniformResourceIdentifier UUID encoded as a URN per RFC 4122, and reduces configuration errors across DPC workflows. Saving a workflow that contains a sponsor.* variable but has no sponsor configured is blocked with a clear validation error.

PM-16556 – Virtual Smart Card 6-Character Minimum PIN

The Virtual Smart Card (VSC) Credential Profile now supports a minimum PIN length of 6 characters (previously restricted to 8), aligning VSC PIN policy with other device types and supporting Windows compatibility scenarios.

Prerequisites: Conductor OS Bridge v1.9.0 or later and Conductor Browser Extension v1.9.0 or later. Both components must be upgraded for 6-digit PIN issuance to work end-to-end. Existing Credential Profiles configured with PIN length 8 or above are unaffected. These components will be available by the time of the release.

Enhancements

PM-17945 – Always Redirect to IdP on Expired SSO Session

When a user’s SSO session expires inside the Unified Portal, UP now consistently redirects them to the configured Identity Provider for re-authentication and returns them to the screen they were on. This applies to GET, POST, PATCH, and GraphQL calls (including credential search), removing prior cases where an expired session surfaced as an error or stale state instead of a clean re-auth.

PM-19136 – Configurable master key for Virtual Smart Card offline PUK generation NEW IN UCMS 4.31.2

The Virtual Smart Card (VSC) Credential Profile now exposes a new Offline unlock key option that controls which master customer-admin key is used to generate the PUK for the offline unlock challenge/response flow. Previously, when both a TDES master key label and an AES master key label were configured on the Credential Profile, the offline unlock always defaulted to AES, which did not match every customer's key-management policy.

The new option is only presented and applied when both a TDES master customer-admin key and an AES master customer-admin key are configured on the Credential Profile. It accepts two values:

• AES (default) — preserves the existing offline-unlock behavior.

• TDES — uses the TDES-derived customer-admin key to generate the PUK.

Credential Profiles configured with only one master key are unaffected, and existing Credential Profiles continue to behave as before until the new option is set.

PM-19162 – AWS CloudHSM v5 client supports explicit or implicit connection modes NEW IN UCMS 4.31.2

UCMS configuration for AWS CloudHSM (client v5) now supports both explicit and implicit connection modes, selectable through configuration. Axiad will adjust this setting to run in the most optimized way for each customer.

Bug Fixes

PM-17937 – Resolved an issue where Mobile PKI certificates revoked manually in the Unified Portal were not being written to the published Certificate Revocation List (CRL). Revocations triggered by device updates were correctly captured; manual revocations are now also included.

PM-17849 – Restored audit logging for Mobile PKI certificate update operations. Update actions now produce audit entries containing user ID, device information, timestamp, and operation outcome.

PM-18043 – Restored audit logging for MDM enforcement actions (Enable, Disable, and Secret Rotation), which were previously not captured in the audit trail.

PM-17674 – Resolved an issue where FIDO2 credential issuance failed with the error “The Identity Provider was unable to process the request,” preventing the credential from appearing under the user’s identities even when the underlying registration in Entra ID had completed.

PM-17594 – When a Derived PIV Credential (DPC) issuance failed at WidePoint due to workflow configuration, the failure now surfaces a clear error message in the Unified Portal and Axiad ID instead of completing silently with only a backend stack trace.

PM-17851 – Added a clear UI error message when an operator attempts to issue a Derived Credential using the same PIV card (or a new card) for a user whose mobile already has an assigned credential.

PM-19029 – NEW IN 4.31.2 Resolved an issue where UPN and other otherName SAN attributes read from a sponsor device's PIV certificate could not be used for evaluation or matching in a Derived PIV Credential workflow. Workflow expressions of the form sponsor.auth.san.(<OID>) now resolve correctly during issuance.

PM-19109 – NEW IN 4.31.2 Resolved an issue where the Authority ID value was not preserved when editing an EJBCA Credential Server configuration, and could appear pre-populated when creating a new EJBCA Credential Server. The Authority ID now persists exactly as entered and is empty by default for new configurations.

PM-19017 – NEW IN UP 2.26.1 Restored the Get prepared screen prompt during Derived PIV Credential enrollment and update, which now correctly indicates that a PIV card must be inserted and available before the user can continue. This addresses a regression introduced in UCMS 4.31.

Security Fixes

PM-18471 – Addressed vulnerabilities: CVE-2026-29145, CVE-2026-34500, CVE-2026-29129, CVE-2026-24880.

PM-18084 / PM-18085 – Addressed vulnerability: CVE-2026-22733.

PM-18825 – Addressed vulnerabilities: CVE-2026-34478, CVE-2026-40973, CVE-2026-34480.

PM-18478 – Addressed vulnerabilities: CVE-2026-40477, CVE-2026-2332.

PM-18269 – Addressed vulnerability: CVE-2026-4800.

PM-18206 – Addressed vulnerability: CVE-2025-8671.

PM-18145 – Addressed vulnerability: CVE-2026-22732.

PM-18826 – Addressed vulnerability: CVE-2026-34477.

PM-19159 – NEW IN UCMS 4.31.2 / UP 2.26.1 Addressed vulnerability: CVE-2026-41284.

PM-18951, PM-18205, PM-18268 – Upgraded additional UCMS and Unified Portal dependencies to address issues identified through routine security scanning for which CVE identifiers had not yet been assigned at the time of release.

Known Limitations

PM-18472 – Credential issuance using YubiKey 4 with IdenTrust CA fails during the certificate import phase. The CSR is generated and submitted successfully, but the process fails with an error indicating the CSR/PKCS#10 is invalid and the certificate cannot be imported. YubiKey 5 and YubiKey 5.7.1 devices are not affected. (Carried over from UCMS 4.30.4.)

PM-18948 – When MDM eligibility validation blocks a Derived Credential issuance (for example, due to an invalid or missing shared secret), the backend correctly stops the issuance, but no email notification is sent and the mobile app shows only a generic error.

PM-18923 – When a user already has an active Mobile PKI / DPC device and an issuance is attempted again, the resulting error message is inconsistent between the Help Desk view and the end-user My Identities view.

PM-18645 – In some flows, the Mobile PKI issuance UI may display a success state before the QR code has actually been scanned by the device.

PM-18291 – Adding or removing a Credential Profile may return a 403 error and leave the page in a stuck “Processing” state. Refreshing the portal recovers the session.

PM-18032 – The Grace Period field in the MDM Enforcement section of the Credential Profile correctly enforces the 0–720 hour range but does not yet display a tooltip indicating the accepted minimum and maximum values.

PM-17351 – Certificates listed under a DPC device (PIV or Mobile PKI) are not sorted by default; active and revoked certificates may appear interleaved.

OS Bridge 1.9.0 for Windows

Prerequisites

• Axiad Conductor UCMS 4.31 or later (for Virtual Smart Card minimum PIN length below 8 characters)

• The Microsoft Visual C++ Redistributable is no longer a prerequisite — it is now bundled with the OS Bridge installer (see Enhancements)

Enhancements

PM-17518 – Microsoft Visual C++ Redistributable now bundled with the OS Bridge installer. The Axiad Virtual Smart Card service depends on the Microsoft Visual C++ runtime libraries. These libraries are now installed automatically alongside the OS Bridge service, so customers no longer need to install the Visual C++ Redistributable separately on the endpoint. The installer runs cleanly on a Windows machine that does not have the runtime pre-installed.

PM-16556 / PM-16557 – Support for Virtual Smart Card minimum PIN lengths of 6 or 7 characters. OS Bridge for Windows now supports the issuance of Virtual Smart Cards with a minimum PIN length below the previous 8-character floor, enabling administrators to align Virtual Smart Card PIN policy with other token types. The minimum PIN length is configured in the Credential Profile in Conductor (UCMS 4.32 or later); existing profiles and already-issued credentials retain their current PIN policy.

Bug Fixes

None reported in this release.

OS Bridge 1.9.0 for macOS

Prerequisites

• Axiad Conductor UCMS 4.31 or later (for Virtual Smart Card minimum PIN length below 8 characters)

Enhancements

PM-16556 / PM-16557 – Support for Virtual Smart Card minimum PIN lengths of 6 or 7 characters. Aligned with the Windows OS Bridge, the macOS OS Bridge now supports Virtual Smart Card profiles configured for PINs as short as 6 characters in Conductor (UCMS 4.31 or later).

Bug Fixes

None reported in this release.

Conductor Browser Extension 1.9.0

Prerequisites

• Axiad Conductor UCMS 4.31 or later (for Virtual Smart Card minimum PIN length below 8 characters)

• Axiad Conductor OS Bridge 1.9.0 or later (for Virtual Smart Card minimum PIN length below 8 characters)

Enhancements

PM-16556 / PM-16557 – Support for Virtual Smart Card minimum PIN lengths of 6 or 7 characters. Aligned with the Windows OS Bridge, the macOS OS Bridge now supports Virtual Smart Card profiles configured for PINs as short as 6 characters in Conductor (UCMS 4.31 or later).