Anypoint Flex Gateway Release Notes

1.11.0

October 13, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.11.0.

What’s New

Envoy is now updated to version 1.35.3.
TLS 1.1 support is removed for enhanced security compliance.
Flex Gateway now provides the outbound AWS Signature policy to inject client credentials into upstream requests.

See Credential Injection API Key Policy.
Flex Gateway now provides the outbound Message Logging policy to configure message logging specifc to to upstream servers.

See Credential Injection API Key Policy.
Flex Gateway Envoy Spawn Upstream Span tracing mode is now turned on for improved observability.

See SpawnUpstreamSpan.
The Credential Injection OAuth 2.0 policy now provides additional configuration options to support a wider range of OAuth 2.0 providers.

See Credential Injection OAuth 2.0 Policy.
You can now preserve external request headers by setting the FLEX_PRESERVE_EXTERNAL_REQUEST_HEADERS environment variable to true.
An API context now includes the SLA tier Name.

See Reviewing SLA Tiers Concepts.
Flex Gateway now supports regex negative lookahead using the (?!) syntax.
Flex Gateway now restarts policies if the policy causes a panic.
The SLA ID and SLA name are now included in the Authentication context for better SLA tracking.
The Basic Authentication: LDAP Policy now provides the authorizationExpression DataWeave parameter to extract a custom authorization token.
Flex Gateway now provides the flexctl registration delete command to delete the Flex Gateway registration from Anypoint Platform to free resources. The delete command doesn’t delete the registration.yaml file.
You can now add authentication certificates to a Flex Gateway tracing configuration
RTF metering data is now exported for better resource monitoring.
Flex Gateway running in Connected Mode now supports storing contracts in shared storage for improved contract management.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-19787132
The OpenID Connect OAuth 2.0 Token Enforcement policy configured with Microsoft Entra ID no longer causes rate-limiting errors.	W-19560760
The Schema Validation policy no longer causes errors when the OAS specification contains nullable fields.	W-19556646
The Connected Mode deployment process is now improved.	W-19861373

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-19787132

The OpenID Connect OAuth 2.0 Token Enforcement policy configured with Microsoft Entra ID no longer causes rate-limiting errors.

W-19560760

The Schema Validation policy no longer causes errors when the OAS specification contains nullable fields.

W-19556646

The Connected Mode deployment process is now improved.

W-19861373

1.10.2

September 29, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.10.2.

What’s New

Flex Gateway now provides the Credential Injection API Key outbound policy to inject client credentials into upstream requests.

See Credential Injection API Key Policy.
For the Rate Limiting and SLA-Based Rate Limiting policies, if distributed rate limiting is enabled, the policy resizes time windows under 10 seconds linearly. For example, if you configure a max of 10 requests per 5 seconds, the policy resizes that window to a max of 20 requests per 10 seconds.

See Rate Limiting: SLA-Based Policy and Rate Limiting Policy.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The OpenID Connect OAuth 2.0 Token Enforcement policy no longer fails the readiness check when `skip_client_id_validation` is true.	W-19304854
Flex Gateway registration calls from Docker no longer fail for Hyperforce deployments.	W-19444135
Socket files are now properly removed from the `tmp` directory for Flex Gateway Docker deployments.	W-19641321
Log lines are now split if the log message exceeds 8kb.	W-19449463
Maximum downstream connections are now limited to 40% of the `noFile` limit during startup if the limit is less than Flex Gateway’s default maximum downstream connections of 1000000.	W-19586809
The Rate Limiting and SLA-Based Rate Limiting policies no longer fail if `blockOnUnknownQuota` is `false` and the quota can’t be retrieved from shared storage.	W-19448769

The OpenID Connect OAuth 2.0 Token Enforcement policy no longer fails the readiness check when skip_client_id_validation is true.

W-19304854

Flex Gateway registration calls from Docker no longer fail for Hyperforce deployments.

W-19444135

Socket files are now properly removed from the tmp directory for Flex Gateway Docker deployments.

W-19641321

Log lines are now split if the log message exceeds 8kb.

W-19449463

Maximum downstream connections are now limited to 40% of the noFile limit during startup if the limit is less than Flex Gateway’s default maximum downstream connections of 1000000.

W-19586809

The Rate Limiting and SLA-Based Rate Limiting policies no longer fail if blockOnUnknownQuota is false and the quota can’t be retrieved from shared storage.

W-19448769

1.10.1

August 27, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.10.1.

What’s New

For all versions (1.9.0 and later), Managed Flex Gateway now supports Access Management audit logs. To identify Managed Flex Gateway log entries, the Product log property is Managed Gateway.

To learn more about audit logs, see View Managed Flex Gateway Audit Logs.
When renewing the registration of a Self-Managed Flex Gateway, the renew command now provides the -update-urls flag to update the registration URLs.

See Renew Self-Managed Flex Gateway Registration.
The Tracing policy now provides the spanName parameter to define the name of a span.

See Tracing Policy.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The Header Injection policy now properly handles the `dw::core::Binaries::fromBase64` DataWeave expression.	W-19075478
The Message Logging policy now properly handles the `payload ++ 'value'` DataWeave expression for non plain text payloads.	W-19374796
Policies created with PDK no longer leak memory when the `HeadersHandler::headers()` method is invoked.	W-19160255

The Header Injection policy now properly handles the dw::core::Binaries::fromBase64 DataWeave expression.

W-19075478

The Message Logging policy now properly handles the payload ++ 'value' DataWeave expression for non plain text payloads.

W-19374796

Policies created with PDK no longer leak memory when the HeadersHandler::headers() method is invoked.

W-19160255

1.10.0

June 27, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.10.0.

What’s New

Flex Gateway now supports the SOAP API protocol.

See Adding a Flex Gateway API Instance.
Flex Gateway now includes SOAP specific policies:
- XML Threat Protection Policy: Protects against malicious XML in API requests.
- SOAP Schema Validation Policy: Validates incoming traffic against a specified WSDL schema.
Flex Gateway now supports distributed tracing with OpenTelemetry.

To learn more, see:
- Configuring Distributed Tracing for Managed Flex Gateway
- Configuring Flex Gateway Distributed Tracing in Local Mode
- Configuring Flex Gateway Distributed Tracing in Connected Mode
- Tracing Policy
  
  Note: To use distributed tracing after upgrading a self-managed gateway from an earlier version, you must reregister your gateway. See Renew Self-Managed Flex Gateway Registration.
The Rate Limiting: SLA-Based Policy and Rate Limiting Policy now have the Block on unknown quota parameter to block requests if the policy can’t retrieve the distributed quota from shared storage.
Flex Gateway now supports these new DataWeave functions:
- toBase64(content: Binary): String
- fromBase64(base64String: String): Binary
- toBinary(str: String, encoding: String): Binary
- toString(binary: Binary, encoding: String): String
  
  See DataWeave Support in Flex Gateway Policies.
You can now configure host header rewrite with the FLEX_REWRITE_HOST_HEADER environment variable. By default, FLEX_REWRITE_HOST_HEADER is true.
Flex Gateway no longer supports Ubuntu Focal, Debian Bullseye, and SUSE 15.
Fluent Bit is now updated to version 3.2.10.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex gateway log lines are no longer truncated at 8KB in Docker.	W-17297954
The OAuth 2.0 Token Introspection and OpenID Connect OAuth 2.0 Access Token Enforcement policies now parse the `Authorization` header in a case insensitive way.	W-18118890
The Schema Validation policy now correctly handles specifications with remote references with selectors.	W-18120938
Flex Gateway no longer ignores the `json_date_format` Fluent-Bit option.	W-18465012

Flex gateway log lines are no longer truncated at 8KB in Docker.

W-17297954

The OAuth 2.0 Token Introspection and OpenID Connect OAuth 2.0 Access Token Enforcement policies now parse the Authorization header in a case insensitive way.

W-18118890

The Schema Validation policy now correctly handles specifications with remote references with selectors.

W-18120938

Flex Gateway no longer ignores the json_date_format Fluent-Bit option.

W-18465012

Known Issues

Known Issue Workaround ID

Known Issue	Workaround	ID
Adding a SOAP API instance to a Flex Gateway using the external link option fails.	Download a WSDL spec for the SOAP endpoint, and then use the option to upload a WSDL file instead.	W-18900361
Security scanners may flag `CVE-2023-45853` as a critical vulnerability in the `zlib1g` library (version `1:1.2.13.dfsg-1`) when scanning Flex Gateway 1.10.0 container images.	No action is required. This is a false positive. Your Flex Gateway deployment remains secure. `CVE-2023-45853` affects the minizip component of upstream zlib, specifically the `zipOpenNewFileInZip4_64` function. However, this vulnerability does not apply to Debian-based distributions, which is what Flex Gateway uses.	None

Adding a SOAP API instance to a Flex Gateway using the external link option fails.

Download a WSDL spec for the SOAP endpoint, and then use the option to upload a WSDL file instead.

W-18900361

Security scanners may flag CVE-2023-45853 as a critical vulnerability in the zlib1g library (version 1:1.2.13.dfsg-1) when scanning Flex Gateway 1.10.0 container images.

No action is required. This is a false positive. Your Flex Gateway deployment remains secure. CVE-2023-45853 affects the minizip component of upstream zlib, specifically the zipOpenNewFileInZip4_64 function. However, this vulnerability does not apply to Debian-based distributions, which is what Flex Gateway uses.

None

1.9.6

August 26, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.6.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
OAS Schemas are now correctly present in the local configuration cache.	W-18833198
The Envoy agent now properly restarts child processes that end with a core dump or kill signal.	W-19327530
The readiness probe no longer fails when the OAuth Token Introspection policy has `skip_client_id_validation` enabled.	W-19118057
The readiness probe no longer fails when the OpenID Connect OAuth 2.0 Token Enforcement policy has `skip_client_id_validation` enabled.	W-19304854
Vulnerabilities detected by scanners are now fixed.	W-19095531, W-19308177
Flex Gateway now validates that there are no collisions when an API base path uses regex expressions.	W-19149269

OAS Schemas are now correctly present in the local configuration cache.

W-18833198

The Envoy agent now properly restarts child processes that end with a core dump or kill signal.

W-19327530

The readiness probe no longer fails when the OAuth Token Introspection policy has skip_client_id_validation enabled.

W-19118057

The readiness probe no longer fails when the OpenID Connect OAuth 2.0 Token Enforcement policy has skip_client_id_validation enabled.

W-19304854

Vulnerabilities detected by scanners are now fixed.

W-19095531, W-19308177

Flex Gateway now validates that there are no collisions when an API base path uses regex expressions.

W-19149269

1.9.5

July 2, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.5.

What’s New

Fluent Bit is now updated to version 3.2.10.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway no longer ignores the `json_date_format` Fluent-Bit option.	W-18465012
Vulnerabilities detected by scanners are now fixed.	W-18820570
The Credential Injection OAuth 2.0 policy no longer fails if the `expires_in` attribute is a string.	W-18779819
The Schema Validation policy now recognizes encoded query params correctly.	W-18883397

Flex Gateway no longer ignores the json_date_format Fluent-Bit option.

W-18465012

Vulnerabilities detected by scanners are now fixed.

W-18820570

The Credential Injection OAuth 2.0 policy no longer fails if the expires_in attribute is a string.

W-18779819

The Schema Validation policy now recognizes encoded query params correctly.

W-18883397

1.9.4

June 4, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.4.

Fixed Issues

Issue Resolution	ID
Deploying Flex Gateway with IPv6 disabled no longer causes an error.	W-18671361

Issue Resolution

Deploying Flex Gateway with IPv6 disabled no longer causes an error.

W-18671361

1.9.3

May 28, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.3.

What’s New

Flex Gateway now supports the Model Context Protocol (MCP) and the Agent2Agent (A2A) Protocol, enabling you to secure, manage, and govern agent interactions:

You can Publish Flex Gateway MCP and A2A Server instances.

See Publishing Flex Gateway Agent and Tool instances.
Flex Gateway now includes MCP and A2A policies. Using these new policies, you can:
- Protect agent interactions: Require that agents are invoked with appropriate authentication and authorization.
- Enhance agent requests: Modify incoming prompts with additional context to improve server agent execution.
- Provide centralized oversight: Enable frictionless agent visibility, logging, and insights for debugging and optimization.
- Secure connections: Restrict MCP endpoint access to authorized agents only.
- Simplify governance: Provide centralized visibility and control over all interactions.
Flex Gateway now includes these policies:

A2A Policies:
- A2A Schema Validation: Verify requests conform to the A2A schema.
  See A2A Schema Validation Policy.
- A2A Agent Card: Proxy the agent through Flex Gateway by rewriting the agent card.
  See A2A Agent Card Policy
- A2A PII Detector: Detect sensitive information in messages sent to and from agents.
  See A2A Personally Identifiable Information (PII) Detector Policy.
- A2A Prompt Decorator: Modify prompt behavior by injecting custom prompts into requests.
  See A2A Prompt Decorator Policy.
- Server-Sent Events (SSE) Content Logging: Log content sent by agents for audit and compliance needs.
  See SSE Logging Policy.
MCP Policies:
- MCP Schema Validation: Verify requests conform to the MCP schema.
  See MCP Schema Validation Policy.
- MCP Support: Enable MCP support and enable Server-Sent Events (SSE).
  See MCP Support Policy.
- Attribute-Based Access Control: Allows you to control access to tools, resources, and prompts, based on Cedar expressions.
  See MCP Attribute-Based Access Control Policy.

To learn more, see:

1.9.2

May 12, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.2.

Fixed Issues

Issue Resolution	ID
The Flex Gateway 1.9.1 TLS context configuration deployment regression is now fixed.	W-18483362

Issue Resolution

The Flex Gateway 1.9.1 TLS context configuration deployment regression is now fixed.

W-18483362

1.9.1

May 8, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.1.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The `onDelete` event no longer causes a panic.	W-18368903
The Flex Gateway 1.9.0 ForwardProxy regression is now fixed.	W-18202000
The `expires_in` attribute in the OAuth credential injection policy is now correctly spelled.	W-18201673
Redis keys no longer collide if multiple Flex Gateways use the same Redis server.	W-18004157
Redeploying one API instance after updating a TLS Context now updates the context for APIs that share the TLS context.	W-17737710

The onDelete event no longer causes a panic.

W-18368903

The Flex Gateway 1.9.0 ForwardProxy regression is now fixed.

W-18202000

The expires_in attribute in the OAuth credential injection policy is now correctly spelled.

W-18201673

Redis keys no longer collide if multiple Flex Gateways use the same Redis server.

W-18004157

Redeploying one API instance after updating a TLS Context now updates the context for APIs that share the TLS context.

W-17737710

1.9.0

March 18, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.0.

What’s New

Managed Flex Gateway on CloudHub 2.0

Flex Gateway now includes Managed Flex Gateway, a fully hosted version of Flex Gateway on CloudHub 2.0. Managed Flex Gateway provides high availability, autoscaling, less operational overhead, and regular automatic patches and upgrades.

Note: To use Managed Flex Gateway, ensure the business group you want to deploy your gateway to has Managed Flex Gateway Resources.

See Deploy a Managed Flex Gateway.
Flex Gateway Version Lifecycle

MuleSoft introduces two new release channels, Edge and Long-term Support (LTS). Both release channels are available in all deployment models: Managed Flex Gateway, Self-Managed Flex Gateway Connected Mode, and Self-Managed Flex Gateway Local Mode. Edge releases will be available three times per year, and LTS releases will be available once a year.

See Flex Gateway Version Lifecycle.
Outbound Policy Support

Outbound policies are policies applied to specific upstreams. To find the new outbound policies, see Outbound Policies Directory.

To apply outbound policies with UI, see Applying Policies for Managed Flex Gateways and Connected Mode. To apply a policy to a service in Local Mode, see Secure an API with an Automated Resource-Level Policy.
Flex Local Configuration Cache

Flex Gateway running in Connected mode can now cache its gateway configuration in shared storage for faster replica initiation, reduced startup times, and accelerated autoscaling.

See Configuring Flex Gateway Configuration Caching in Connected Mode.
Flex Scalability

Flex Gateway now supports up to 1,000 APIs per gateway.
API Timeouts

Flex Gateway now provides the Stream Idle timeout, Response timeout, and Upstream Idle timeout. You can apply the timeouts to the gateway or individual APIs and upstreams as policies. To learn more, see:

Fixed Issues

Issue Resolution	ID
When deployed to a Virtual Machine (VM), a Self-Managed Flex Gateway no longer fails to restart after an abrupt stop of the VM.	W-17640917

Issue Resolution

When deployed to a Virtual Machine (VM), a Self-Managed Flex Gateway no longer fails to restart after an abrupt stop of the VM.

W-17640917

Known Issues

The Flex Gateway is unable to send logs when a forward proxy is enabled known issue was introduced in Flex Gateway 1.9.0.

For more information, see Salesforce Known Issues and set the category to Mulesoft Flex Gateway.

1.8.3

January 29, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.8.3.

What’s New

Flex Gateway now provides the FLEX_DOWNSTREAM_CONNECTION_BUFFER_LIMIT_BYTES environment variable to limit new connections read and write buffers. By default, the buffer limit is 1MB.
Flex Gateway now provides the FLEX_ENVOY_HEADERS_ENABLED environment variable to remove Envoy headers from requests. By default, the variable is set to false.
Integrated Runtime Logs in Runtime Manager

You can now access and manage Flex Gateway runtime logs directly within Runtime Manager, which streamlines diagnostics and improves operational efficiency.
Flex Gateway Security Best Practices

Flex Gateway documentation now has information about securing Flex clusters, including recommended practices for certificate management and storage.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-17430713
The XSS vulnerability in the Schema Validation policy is now fixed.	W-17450881
Flex Gateway no longer requests client certificates when inbound mTLS isn’t enabled.	W-17424531

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-17430713

The XSS vulnerability in the Schema Validation policy is now fixed.

W-17450881

Flex Gateway no longer requests client certificates when inbound mTLS isn’t enabled.

W-17424531

1.8.2

December 13, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.2.

What’s New

Envoy is now updated to version 1.29.9.
The External Authorization Policy now provides the Path prefix parameter to set a prefix to the value of the Path authorization request header.

See External Processing Policy.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-16844648
The Message Logging policy now properly escapes double quotes.	W-16981526
Forward proxy credential configuration with special characters no longer fails.	W-17329371

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-16844648

The Message Logging policy now properly escapes double quotes.

W-16981526

Forward proxy credential configuration with special characters no longer fails.

W-17329371

1.8.1

September 27, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.1.

What’s New

The External Processing policy now provides the Failure mode allow, Max message timeout, and Allow mode override parameters to further configure Flex Gateway’s communication with the external processing service.

See External Processing Policy.
The Flex Gateway documentation now provides Flex Gateway limits outlining Flex Gateway specifications for information such as max APIs per gateway, contracts per API, and request header payload size.

See Limits.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The severity level of the `Details are not recognized as violation` message is decreased from `WARN` to `DEBUG`.	W-15844673
Vulnerabilities detected by scanners are now fixed.	W-16844648

The severity level of the Details are not recognized as violation message is decreased from WARN to DEBUG.

W-15844673

Vulnerabilities detected by scanners are now fixed.

W-16844648

1.8.0

August 14, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.0.

What’s New

Flex Gateway now provides a readiness probe to ensure that a Flex Replica is configured correctly and ready for incoming traffic. Use the readiness probe to enable external entities, such as load balancers, to perform gateway health checks to ensure traffic only reaches healthy gateways.

See Configuring a Readiness or Liveness Probe.
The Flex Gateway documentation now provides architecture diagrams detailing best practices for multiple-region, high availability, and disaster recovery deployments.

See Flex Gateway Multiple Region Deployments.
Flex Gateway deployments deployed in Docker containers are now distroless images. Distroless images improve security by only containing the essential runtime components to reduce potential attack surface.
The JWT Validation Policy now supports multiple JWKS servers.

See JWT Validation Policy.
The Mastering API Integration: Salesforce, Heroku, and MuleSoft Anypoint Flex Gateway blog provides details for running Flex Gateway on the Heroku platform.
Fluent Bit is now updated to version 3.0.6.
Flex Gateway no longer supports Ubuntu Bionic, Debian Buster, and RHEL 8.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway now enables you to remove the `Server` header via the `FLEX_REMOVE_SERVER_HEADER` environment variable.	W-13961645
Flex Gateway no longer fails to download assets from Anypoint Platform after an upgrade or downgrade.	W-15665983
Flex Gateway no longer fails to start after an upgrade on RPM-based systems.	W-16285842
The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.	W-16124513

Flex Gateway now enables you to remove the Server header via the FLEX_REMOVE_SERVER_HEADER environment variable.

W-13961645

Flex Gateway no longer fails to download assets from Anypoint Platform after an upgrade or downgrade.

W-15665983

Flex Gateway no longer fails to start after an upgrade on RPM-based systems.

W-16285842

The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.

W-16124513