Carpathian Platform Update: 2026.4.0.1 (patches & bug fixes).
Security Requirements
Sensitive actions across the dashboard now require Two-Factor Authentication to be enabled on your account. If you attempt to rotate, revoke, or delete an API key, manage networking rules, or toggle SSH gateway access without 2FA enabled, a prompt will appear directing you to your security settings.
API key management actions (rotate, revoke, unlock, delete) are now restricted to users with the api_keys:manage permission. Users without this permission will no longer see these buttons.
SSH Access
When the gateway detects suspicious activity, the offending API key is now correctly disabled immediately.
When an API key is locked due to suspicious activity, the Networking routing page now displays the affected SSH rule as blocked with a "Key Locked" warning and a link to the key's detail page.
The API key detail page (Security tab) now shows a summary of denied requests in the last 24 hours, including the type of request, source IP, and timestamp. .
Deployments
Deployments triggered from GitHub Actions that are blocked by your organization's firewall now appear as failed entries in your deployment history instead of silently returning a 403. Each blocked deployment includes the reason it was rejected and the source IP address, so you can see exactly what happened.
A new "Blocked Connections" section is now visible on the server Deployments tab whenever an IP has been rejected. Each blocked IP includes a one-click "Allow IP" button that adds a firewall rule for that address, making it easy to allowlist CI/CD runner IPs without leaving the page.
The firewall page now labels the API scope as "Deployments & API" to make it clear that deployment triggers from GitHub Actions are subject to the same firewall rules as other API calls.
Login & 2FA Auth
Two-Factor Authentication codes were failing with "expired" errors during login, even when entered within the valid time window. This affected all users with 2FA enabled across both authenticator app and email methods.
Disabling all 2FA methods no longer leaves a stale recovery code behind. Recovery codes are now properly invalidated when 2FA is fully turned off and regenerated when enabled.
Added rate limiting to five 2FA endpoints that were previously unprotected, reducing exposure to brute-force attempts on setup, reset, and disable flows.
