What's New With SimpleRisk 20260519-001 Release

by Dorian Arthur
(Director of Customer Success)

by Dorian Arthur (Director of Customer Success)

The SimpleRisk 20260519-001 release is a major update focused on three things customers asked for most: a cleaner navigation and reporting experience, an Assessments workflow that behaves predictably under real-world conditions, and a deep round of security hardening. It also formally deprecates the v1 API, simplifies the install-to-upgrade path, and brings Incident Management reporting into the same hub experience the rest of the product now uses.

Key Highlights

A Redesigned Reports and Settings Experience

The legacy 32-entry Reports sidebar dropdown has been replaced by a tile-catalog Reports Hub that organizes reports and dashboards by domain. A Cards/List toggle, default favorites, and a refreshed top-menu chrome round out the navigation update. Alongside it, a new Settings Hub gives administrators a state-aware Extras category showing at a glance which Extras are installed, enabled, or available — all without hunting through configuration screens. Incident Management's separate Reporting menu has been folded into the unified Reports and Dashboards Hub for consistency across the product.

Assessments You Can Rely On

Scheduled assessment behavior received a thorough overhaul. Resends no longer multiply by contact count, recurring "not completed" reminders now fire at the configured cadence instead of just once, scheduled jobs no longer permanently skip rows when a cron run is missed, and accidental same-day re-runs no longer trigger duplicate sends. The Assessments Extra also activates roughly fourteen times faster on new installs. Approval flows for in-progress assessments are working again, and API endpoints within the Assessments Extra are now gated with granular per-feature permissions instead of a broad admin gate.

A More Reliable Install and Upgrade Path

The installer now generates config.php from a template instead of requiring manual editing, removing one of the most common onboarding friction points. Several upgrade rough edges have been smoothed out, including a fatal error on large-database backups, missing flags on some environments, and a deprecation warning when upgrading from older versions without the user_mfa table. The Windows-specific installer path has been retired; the codebase now uses a single tar-based archive format on all supported platforms.

API v1 Deprecation

API v1 is now formally deprecated. It remains accessible behind an admin toggle; new installs default to v2-only. The v2 API now auto-generates a Postman collection from its OpenAPI annotations on every push to testing and master, keeping the published integration surface in lockstep with what ships. The questionnaire-create API also now returns the contact id and accepts a send_now flag to simplify programmatic onboarding flows.

Security & Authentication

This release resolves eight separately disclosed security findings spanning input validation, output encoding, authorization, and redirect handling:

  • Hardened input validation on dynamic risk report filtering
  • Hardened output encoding in the risk connectivity visualizer
  • Tightened permission enforcement on risk scoring updates
  • Corrected permission enforcement on the close-risk API
  • Corrected permission enforcement on project detail and edit APIs
  • Hardened redirect handling in the compliance download flow
  • Hardened authorization on validation-file downloads
  • Enforced report-level access checks on the Favorites API for add, delete, and list operations

The SAML authentication Extra also received an independent hardening pass covering secret-salt generation, certificate regeneration, metadata caching, and clean teardown on deactivation.

New Functionality

  • Added the Test Date column to the Compliance > Active Audits page
  • Added a user permission required to delete active audits
  • Added the ability to designate individuals who are always notified for any Action or Scheduled notification
  • Added more detailed reasons to authentication-failure log entries to help administrators diagnose login problems
  • Added a Cross-Domain subsection to Reporting permissions and audited existing permissions for completeness
  • Added the approval date to the Document Program table so users can see when documents were last approved without opening each entry
  • Refreshed the Upgrade Extra with several improvements to the in-product upgrade flow

Bug Fixes & Stability Improvements

  • Fixed an issue where an incident could be related to itself
  • Fixed datatable sorting on the Incidents > Response and Lessons Learned pages
  • Fixed an issue where adding a note to an open incident redirected to the Closed tab instead of remaining on the current page
  • Fixed the Cancel button when editing a Review not closing the edit view
  • Fixed saving updates to an incident's details not refreshing the page
  • Fixed scheduled assessment resends permanently skipping rows when a cron run was missed
  • Fixed scheduled assessment resends multiplying sends by the number of configured contacts
  • Fixed assessment "not completed" reminders firing only once instead of on the configured cadence
  • Fixed scheduled assessments being resent multiple times in a single day when a cron job was retried
  • Fixed the Notification Extra not triggering on risk mitigation acceptance when "Notify on Mitigation Update" was enabled
  • Fixed the configured currency symbol not being respected in reports throughout SimpleRisk
  • Fixed the sidebar not updating immediately after activating or deactivating the Vulnerability Management Extra
  • Fixed orphaned permission-to-user rows being left behind when a permission is deleted
  • Fixed admin-user direct permissions being wiped when activating a paid Extra
  • Fixed the Reports Hub and Settings Hub failing to load when SimpleRisk is installed under a subpath
  • Fixed users being unable to approve assessments that are pending review or approval
  • Resolved PHP deprecation warnings on upgrades from older versions

Other Enhancements

  • The Cancel button in the Column Selections dialog no longer incorrectly selects all options
  • Hub tiles now show a pointer cursor on hover
  • Incident Management logs are now removed when the Incident Management Extra is deactivated
  • Session cleanup now reliably matches the correct user when a user is removed or suspended
  • SCF Extra: fixed deactivation crashes, column rename handling, catalog threshold logic, and the upgrade path for SCF 2026.1.x
  • The documents table was migrated from comma-separated varchar(500) columns to proper mapping tables for controls, frameworks, additional stakeholders, and teams

Installation & Upgrade Instructions

This release is delivered through the standard SimpleRisk upgrade flow. As always, we recommend backing up your database before applying any release in a production environment.

SAML users: Customers running the SAML authentication Extra in production should plan a smoke test after upgrading given the hardening changes to that Extra.

API integrators: v1 remains available behind an admin setting. There is no forced cutover in this release — customers can migrate to v2 at their own pace.

If you run into any issues during the upgrade, please reach out to our Support team.

TAGS
SimpleRisk Platform Custom Development & Customization Feature Development & Parity SimpleRisk Hosted SimpleRisk Roadmap & Updates