Upcoming Releases

IMPORTANT INFORMATION ABOUT THESE PRE-RELEASE NOTES

• These are pre-release notes and are subject to change

• Release notes are not considered final until the close of business on the date of release

• This article will be updated with features, functionality, and bug fixes as our development continues

• If you have any questions about these features or want to request a more in-depth discussion about the best way to leverage them, then reach out to us at productmanagement@axiad.com

May 11, 2026

Conductor HI

UCMS 4.31.0, UP 2.26.0

This release introduces globally unique smart-card identification for IDEMIA OCSv8 cards, expands Derived PIV Credential (DPC) issuance with sponsor-device certificate attributes, and lowers the minimum Virtual Smart Card (VSC) PIN length to 6 characters. It also includes several third-party dependency updates that resolve security findings, and targeted bug fixes for Mobile PKI, FIDO, and audit logging.

Features

PM-18314 – Globally Unique Card Identification (CUUID) for IDEMIA OCSv8

IDEMIA OCSv8 cards can now be identified using CUUID (a globally unique identifier per physical card) instead of the legacy CUID derived from CPLC. Because CUID is not guaranteed to be unique across cards, customers issuing IDEMIA OCSv8 at scale could occasionally encounter collisions during enrollment; CUUID eliminates this class of issue.

A new Legacy Unique Identifier (CUID) checkbox has been added to the OCSv8 Credential Profile configuration:

• For existing Credential Profiles, the checkbox is checked by default — legacy CUID behavior is preserved with no change in behavior.

• For new OCSv8 Credential Profiles, the checkbox is unchecked by default — new enrollments use CUUID.

• The toggle is one-way: once a Credential Profile is saved in CUUID mode, it cannot be reverted to legacy CUID mode.

When CUUID mode is enabled, card-present interactions perform CUUID-first resolution with CUID fallback to preserve compatibility with existing inventory.

PM-17838 – Sponsor Device Certificate Attributes as Mobile PKI Inputs

Administrators can now reference sponsor device certificate attributes in certificate templates used for Mobile PKI Derived PIV Credential (DPC) issuance. Workflow and certificate-template fields (SAN and Subject DN/RDN) accept a new sponsor.<element>.<sub-element>[.<qualifier>][index] syntax that resolves at issuance time from the sponsor device’s certificate.

This unblocks Derived PIV Credential use cases that require the derived PIV Authentication SAN to include the uniformResourceIdentifier UUID encoded as a URN per RFC 4122, and reduces configuration errors across DPC workflows. Saving a workflow that contains a sponsor.* variable but has no sponsor configured is blocked with a clear validation error.

PM-16556 – Virtual Smart Card 6-Character Minimum PIN

The Virtual Smart Card (VSC) Credential Profile now supports a minimum PIN length of 6 characters (previously restricted to 8), aligning VSC PIN policy with other device types and supporting Windows compatibility scenarios.

Prerequisites: Conductor OS Bridge v1.9.0 or later and Conductor Browser Extension v1.9.0 or later. Both components must be upgraded for 6-digit PIN issuance to work end-to-end. Existing Credential Profiles configured with PIN length 8 or above are unaffected. These components will be available by the time of the release.

Enhancements

PM-17945 – Always Redirect to IdP on Expired SSO Session

When a user’s SSO session expires inside the Unified Portal, UP now consistently redirects them to the configured Identity Provider for re-authentication and returns them to the screen they were on. This applies to GET, POST, PATCH, and GraphQL calls (including credential search), removing prior cases where an expired session surfaced as an error or stale state instead of a clean re-auth.

Bug Fixes

PM-17937 – Resolved an issue where Mobile PKI certificates revoked manually in the Unified Portal were not being written to the published Certificate Revocation List (CRL). Revocations triggered by device updates were correctly captured; manual revocations are now also included.

PM-17849 – Restored audit logging for Mobile PKI certificate update operations. Update actions now produce audit entries containing user ID, device information, timestamp, and operation outcome.

PM-18043 – Restored audit logging for MDM enforcement actions (Enable, Disable, and Secret Rotation), which were previously not captured in the audit trail.

PM-17674 – Resolved an issue where FIDO2 credential issuance failed with the error “The Identity Provider was unable to process the request,” preventing the credential from appearing under the user’s identities even when the underlying registration in Entra ID had completed.

PM-17594 – When a Derived PIV Credential (DPC) issuance failed at WidePoint due to workflow configuration, the failure now surfaces a clear error message in the Unified Portal and Axiad ID instead of completing silently with only a backend stack trace.

PM-17851 – Added a clear UI error message when an operator attempts to issue a Derived Credential using the same PIV card (or a new card) for a user whose mobile already has an assigned credential.

Security Fixes

PM-18471 – Addressed vulnerabilities: CVE-2026-29145, CVE-2026-34500, CVE-2026-29129, CVE-2026-24880.

PM-18084 / PM-18085 – Addressed vulnerability: CVE-2026-22733.

PM-18825 – Addressed vulnerabilities: CVE-2026-34478, CVE-2026-40973, CVE-2026-34480.

PM-18478 – Addressed vulnerabilities: CVE-2026-40477, CVE-2026-2332.

PM-18269 – Addressed vulnerability: CVE-2026-4800.

PM-18206 – Addressed vulnerability: CVE-2025-8671.

PM-18145 – Addressed vulnerability: CVE-2026-22732.

PM-18951, PM-18205, PM-18268, PM-18826 – Upgraded additional UCMS and Unified Portal dependencies to address issues identified through routine security scanning for which CVE identifiers had not yet been assigned at the time of release.

Known Limitations

PM-18472 – Credential issuance using YubiKey 4 with IdenTrust CA fails during the certificate import phase. The CSR is generated and submitted successfully, but the process fails with an error indicating the CSR/PKCS#10 is invalid and the certificate cannot be imported. YubiKey 5 and YubiKey 5.7.1 devices are not affected. (Carried over from UCMS 4.30.4.)

PM-18948 – When MDM eligibility validation blocks a Derived Credential issuance (for example, due to an invalid or missing shared secret), the backend correctly stops the issuance, but no email notification is sent and the mobile app shows only a generic error.

PM-18923 – When a user already has an active Mobile PKI / DPC device and an issuance is attempted again, the resulting error message is inconsistent between the Help Desk view and the end-user My Identities view.

PM-18645 – In some flows, the Mobile PKI issuance UI may display a success state before the QR code has actually been scanned by the device.

PM-18291 – Adding or removing a Credential Profile may return a 403 error and leave the page in a stuck “Processing” state. Refreshing the portal recovers the session.

PM-18032 – The Grace Period field in the MDM Enforcement section of the Credential Profile correctly enforces the 0–720 hour range but does not yet display a tooltip indicating the accepted minimum and maximum values.

PM-17351 – Certificates listed under a DPC device (PIV or Mobile PKI) are not sorted by default; active and revoked certificates may appear interleaved.