Anypoint Flex Gateway Release Notes
These release notes reflect enhancements, changes, and bug fixes for Anypoint Flex Gateway.
In addition to these release notes, see:
1.12.3
April 22, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.12.3.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-22028896 |
The DataWeave |
W-21643871 |
The OpenID Policy now correctly sends identity provider credentials in the header instead of the body. |
W-22061343 |
Rate Limiting policies now correctly distribute the quota between replicas when distributed rate-limiting is enabled. |
W-22108203 |
1.12.2
March 31, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.12.2.
What’s New
-
The OAuth 2.0 Token Introspection Policy and OpenID Connect OAuth 2.0 Token Enforcement Policy now support the OAuth 2.0 discovery flow and parameters required for MCP clients.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-21668427 |
When making outbound requests from policies, the port is no longer included in the request authority unless the port is explicitly specified in the target URL. |
W-21471214 |
1.12.1
March 2, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.12.1.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Managed Flex Gateway deployed on CloudHub 2.0 no longer produces UDP log errors. |
W-21361063 |
1.12.0
February 25, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.12.0.
What’s New
-
Managed Flex Gateway now supports Runtime Fabric deployments.
-
Extra Large Managed Flex Gateway is now available for production purposes with higher throughput and more process demanding policies.
To learn more about the performance metrics for Extra Large Managed Flex Gateway, see Managed Flex Gateway Limits and Performance Metrics.
-
Flex Gateway now supports creating an MCP Bridge to expose API instances as an MCP server.
-
These DataWeave policies are added to modify and filter requests:
-
DataWeave Body Transformation Policy: Transforms request or response body content with a DataWeave script
-
DataWeave Headers Transformation Policy: Transforms request or response headers with a DataWeave script
-
DataWeave Request Filter Policy: Filters requests by using a DataWeave script
-
-
A Credential Injection JWT Generation policy is added to generate and inject JWT tokens into outgoing requests.
-
A Injection Protection policy is added to scan incoming request headers, path, query string, and body for SQL injection, XSS (Cross-Site Scripting), and custom injection attacks.
-
Functionality is added to configure TLS for outgoing HTTP requests from Self-Managed Flex Gateway policies.
-
Managed Flex Gateway and Self-Managed Flex Gateway running in Connected Mode now provides the Runtime Configuration tab in Runtime Manager to configure and edit logging, tracing, timeouts, circuit breakers, probes, and other runtime properties.
-
SOAP APIs now support Payloads over 1MB.
-
Managed Flex Gateway replicas now communicate directly with each other for real-time sharing of HTTP caching and rate limiting data instead of using Object Storage V2.
-
Flex Gateway now supports
dw::Core::--DataWeave functions.See -- Functions.
Fixed Issues
| Issue Resolution | ID |
|---|---|
The SOAP Schema Validation Policy no longer intermittently bypasses validation |
W-20173820 |
Flex Gateway no longer has a usage mismatch when using an HTTP probe. |
W-20278837 |
Flex Gateway now retries to download contracts from Anypoint Platform after failure. |
W-20435629 |
Flex Gateway no longer has temporary request failures during API specification (OAS) updates. |
W-20646216 |
JSON Threat Protection Policy no longer rejects numeric exponential notation. |
W-21186984 |
Vulnerabilities detected by scanners are now fixed. |
W-21188054 |
Flex Gateway no longer loses metric data when A2A and MCP policies are applied. |
W-21016899 |
1.11.7
| 製品のこのバージョンは 延長サポートに入りました。 |
April 24, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.11.7.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-22028896 |
1.11.6
| 製品のこのバージョンは 延長サポートに入りました。 |
March 31, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.11.6.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-21668427 |
1.11.5
| 製品のこのバージョンは 延長サポートに入りました。 |
March 5, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.11.5.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-21259850 |
Trace configuration now supports a trusted CA. |
W-21018187 |
The JSON Threat Protection policy no longer rejects numeric exponential notation. |
W-21186984 |
Flex Gateway no longer has temporary request failures during API specification (OAS) updates. |
W-20646216 |
Flex Gateway no longer loses metric data when A2A and MCP policies are applied. |
W-21016899 |
1.11.4
| 製品のこのバージョンは 延長サポートに入りました。 |
January 15, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.11.4.
What’s New
-
Envoy is now updated to version 1.35.3.
Fixed Issues
| Issue Resolution | ID |
|---|---|
The Schema Validation policy now validates the raw URL-encoded raw value instead of the URL-decoded value. |
W-20531156 |
Vulnerabilities detected by scanners are now fixed. |
W-20911125 |
1.11.3
| 製品のこのバージョンは 延長サポートに入りました。 |
January 7, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.11.3.
What’s New
-
The Credential Injection OAuth 2.0 policy now provides the Credential location parameter to specify where the OAuth 2.0 credentials are located in the request.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-20365927 |
If an error occurs when the JWT Validation policy calls the JWKS server, the time between retry requests now doubles with each request. |
W-19647107 |
Flex Gateway Open Telemetry INFO level logging is now less verbose. |
W-20209998 |
Flex Gateway now correctly sends logging information to Anypoint Platform. |
W-20365743 |
When caching a Flex Gateway configuration, the deployment deletion command now functions properly. |
W-20510685 |
Flex Gateway now properly handles log lines longer than 64kb. |
W-20510872 |
1.11.2
| 製品のこのバージョンは 延長サポートに入りました。 |
November 13, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.11.2.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Flex Gateway running in Connected Mode now retries when requests to Anypoint Platform fail. |
W-20037629 |
Vulnerabilities detected by scanners are now fixed. |
W-20125828 |
The OpenID Connect OAuth 2.0 Token Enforcement policy no longer fails when Microsoft Entra ID is the identity provider. |
W-20129783 |
1.11.1
| 製品のこのバージョンは 延長サポートに入りました。 |
October 22, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.11.1.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-19971092 |
Envoy was downgraded to 1.34.0 to fix a segmentation fault error. |
W-19979621 |
1.11.0
| 製品のこのバージョンは 延長サポートに入りました。 |
October 13, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.11.0.
What’s New
-
Envoy is now updated to version 1.35.3.
-
TLS 1.1 support is removed for enhanced security compliance.
-
Flex Gateway now provides the outbound AWS Signature policy to inject client credentials into upstream requests.
-
Flex Gateway now provides the outbound Message Logging policy to configure message logging specific to upstream servers.
-
Flex Gateway Envoy Spawn Upstream Span tracing mode is now turned on for improved observability.
See SpawnUpstreamSpan.
-
The Credential Injection OAuth 2.0 policy now provides additional configuration options to support a wider range of OAuth 2.0 providers.
-
You can now preserve the
X-Request-IDheader by setting theFLEX_PRESERVE_EXTERNAL_REQUEST_IDenvironment variable totrue. -
An API context now includes the SLA tier
Name.See SLA 層の概念の確認.
-
Flex Gateway now supports regex negative lookahead using the
(?!)syntax. -
Flex Gateway now restarts policies if the policy causes a panic.
-
The SLA ID and SLA name are now included in the Authentication context for better SLA tracking.
-
The Basic Authentication: LDAP Policy now provides the
authorizationExpressionDataWeave parameter to extract a custom authorization token. -
Flex Gateway now provides the
flexctl registration deletecommand to delete the Flex Gateway registration from Anypoint Platform to free resources. The delete command doesn’t delete the registration.yaml file. -
You can now add authentication certificates to a Flex Gateway tracing configuration
-
RTF metering data is now exported for better resource monitoring.
-
Flex Gateway running in Connected Mode now supports storing contracts in shared storage for improved contract management.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-19787132 |
The OpenID Connect OAuth 2.0 Token Enforcement policy configured with Microsoft Entra ID no longer causes rate-limiting errors. |
W-19560760 |
The Schema Validation policy no longer causes errors when the OAS specification contains nullable fields. |
W-19556646 |
The Connected Mode deployment process is now improved. |
W-19861373 |
1.9.12
April 24, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.9.12.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-22028896 |
1.9.11
March 31, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.9.11.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-21668427 |
1.9.10
March 5, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.9.10.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-21259850 |
Trace configuration now supports setting up a trusted CA. |
W-21018187 |
The JSON Threat Protection policy no longer rejects numeric exponential notation. |
W-21186984 |
The Schema Validation policy now validates the raw URL-encoded raw value instead of the URL-decoded value. |
W-20531156 |
Flex Gateway no longer loses metric data when A2A and MCP policies are applied. |
W-21016899 |
1.9.9
January 7, 2026
MuleSoft announces the release of Anypoint Flex Gateway 1.9.9.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Vulnerabilities detected by scanners are now fixed. |
W-20365927 |
If an error occurs when the JWT Validation policy calls the JWKS server, the time between retry requests now doubles with each request. |
W-19647107 |
Flex Gateway now correctly sends logging information to Anypoint Platform. |
W-20365743 |
1.9.8
November 13, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.8.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Flex Gateway running in Connected Mode now retries when requests to Anypoint Platform fail. |
W-20037629 |
Vulnerabilities detected by scanners are now fixed. |
W-20125828 |
1.9.7
October 17, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.7.
What’s New
-
For the Rate Limiting and SLA-Based Rate Limiting policies, if distributed rate limiting is enabled, the policy resizes time windows under 10 seconds linearly. For example, if you configure a max of 10 requests per 5 seconds, the policy resizes that window to a max of 20 requests per 10 seconds.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Flex Gateway registration calls from Docker no longer fail for Hyperforce deployments. |
W-19444135 |
Vulnerabilities detected by scanners are now fixed. |
W-19787132, W-19971092 |
The Connected Mode deployment process is now improved. |
W-19861373 |
1.9.6
August 26, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.6.
Fixed Issues
| Issue Resolution | ID |
|---|---|
OAS Schemas are now correctly present in the local configuration cache. |
W-18833198 |
The Envoy agent now properly restarts child processes that end with a core dump or kill signal. |
W-19327530 |
The readiness probe no longer fails when the OAuth Token Introspection policy has |
W-19118057 |
The readiness probe no longer fails when the OpenID Connect OAuth 2.0 Token Enforcement policy has |
W-19304854 |
Vulnerabilities detected by scanners are now fixed. |
W-19095531, W-19308177 |
Flex Gateway now validates that there are no collisions when an API base path uses regex expressions. |
W-19149269 |
1.9.5
July 2, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.5.
What’s New
-
Fluent Bit is now updated to version 3.2.10.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Flex Gateway no longer ignores the |
W-18465012 |
Vulnerabilities detected by scanners are now fixed. |
W-18820570 |
The Credential Injection OAuth 2.0 policy no longer fails if the |
W-18779819 |
The Schema Validation policy now recognizes encoded query params correctly. |
W-18883397 |
1.9.4
June 4, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.4.
Fixed Issues
| Issue Resolution | ID |
|---|---|
Deploying Flex Gateway with IPv6 disabled no longer causes an error. |
W-18671361 |
1.9.3
May 28, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.3.
What’s New
Flex Gateway now supports the Model Context Protocol (MCP) and the Agent2Agent (A2A) Protocol, enabling you to secure, manage, and govern agent interactions:
-
You can Publish Flex Gateway MCP and A2A Server instances.
-
Flex Gateway now includes MCP and A2A policies. Using these new policies, you can:
-
Protect agent interactions: Require that agents are invoked with appropriate authentication and authorization.
-
Enhance agent requests: Modify incoming prompts with additional context to improve server agent execution.
-
Provide centralized oversight: Enable frictionless agent visibility, logging, and insights for debugging and optimization.
-
Secure connections: Restrict MCP endpoint access to authorized agents only.
-
Simplify governance: Provide centralized visibility and control over all interactions.
-
-
Flex Gateway now includes these policies:
A2A Policies:
-
A2A Schema Validation: Verify requests conform to the A2A schema.
See A2A Schema Validation Policy. -
A2A Agent Card: Proxy the agent through Flex Gateway by rewriting the agent card.
See A2A Agent Card Policy -
A2A PII Detector: Detect sensitive information in messages sent to and from agents.
See A2A Personally Identifiable Information (PII) Detector Policy. -
A2A Prompt Decorator: Modify prompt behavior by injecting custom prompts into requests.
See A2A Prompt Decorator Policy. -
Server-Sent Events (SSE) Content Logging: Log content sent by agents for audit and compliance needs.
See SSE Logging Policy.
MCP Policies:
-
MCP Schema Validation: Verify requests conform to the MCP schema.
See MCP Schema Validation Policy. -
MCP Support: Enable MCP support and enable Server-Sent Events (SSE).
See MCP Support Policy. -
Attribute-Based Access Control: Allows you to control access to tools, resources, and prompts, based on Cedar expressions.
See MCP Attribute-Based Access Control Policy.
-
To learn more, see:
1.9.2
May 12, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.2.
Fixed Issues
| Issue Resolution | ID |
|---|---|
The Flex Gateway 1.9.1 TLS context configuration deployment regression is now fixed. |
W-18483362 |
1.9.1
May 8, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.1.
Fixed Issues
| Issue Resolution | ID |
|---|---|
The |
W-18368903 |
The Flex Gateway 1.9.0 ForwardProxy regression is now fixed. |
W-18202000 |
The |
W-18201673 |
Redis keys no longer collide if multiple Flex Gateways use the same Redis server. |
W-18004157 |
Redeploying one API instance after updating a TLS Context now updates the context for APIs that share the TLS context. |
W-17737710 |
1.9.0
March 18, 2025
MuleSoft announces the release of Anypoint Flex Gateway 1.9.0.
What’s New
-
Managed Flex Gateway on CloudHub 2.0
Flex Gateway now includes Managed Flex Gateway, a fully hosted version of Flex Gateway on CloudHub 2.0. Managed Flex Gateway provides high availability, autoscaling, less operational overhead, and regular automatic patches and upgrades.
Note: To use Managed Flex Gateway, ensure the business group you want to deploy your gateway to has Managed Flex Gateway Resources.
-
Flex Gateway Version Lifecycle
MuleSoft introduces two new release channels, Edge and Long-term Support (LTS). Both release channels are available in all deployment models: Managed Flex Gateway, Self-Managed Flex Gateway Connected Mode, and Self-Managed Flex Gateway Local Mode. Edge releases will be available three times per year, and LTS releases will be available once a year.
-
Outbound Policy Support
Outbound policies are policies applied to specific upstreams. To find the new outbound policies, see Outbound Policies Directory.
To apply outbound policies with UI, see Applying Policies for Managed Flex Gateways and Connected Mode. To apply a policy to a service in Local Mode, see Secure an API with an Automated Resource-Level Policy.
-
Flex Local Configuration Cache
Flex Gateway running in Connected mode can now cache its gateway configuration in shared storage for faster replica initiation, reduced startup times, and accelerated autoscaling.
-
Flex Scalability
Flex Gateway now supports up to 1,000 APIs per gateway.
-
API Timeouts
Flex Gateway now provides the Stream Idle timeout, Response timeout, and Upstream Idle timeout. You can apply the timeouts to the gateway or individual APIs and upstreams as policies. To learn more, see:
Fixed Issues
| Issue Resolution | ID |
|---|---|
When deployed to a Virtual Machine (VM), a Self-Managed Flex Gateway no longer fails to restart after an abrupt stop of the VM. |
W-17640917 |
Known Issues
The Flex Gateway is unable to send logs when a forward proxy is enabled known issue was introduced in Flex Gateway 1.9.0.
For more information, see Salesforce Known Issues and set the category to Mulesoft Flex Gateway.