Today, we are pleased to announce the release of CFEngine 3.26.0!
Being a non-LTS (not supported) release, this release allows users to test the new functionality we’ve been working on before it arrives in an LTS release later this year.
The codename for this release is a bit different, as it is named after a new feature introduced, and what it eliminates - the admin user.
What’s new
In recent releases, we’ve made important security improvements like stricter password policies, 2FA support, audit logs, and more.
We’re continuing down this track of improving the overall account and login security of CFEngine Enterprise by eliminating the default admin user and introducing a much more secure first time setup feature.
Mission Portal first time setup
When you set up a CFEngine hub for the first time, you’ll now see some new screens to securely set up the initial administrator user.
You’ll need the setup code printed by the installer to set up for the first time.
If you don’t see the output / code, or it expires, you can use the cf-hub program to generate a new one;
cf-hub --new-setup-codeAfter entering the correct setup code, you’ll create the first admin account:
Both username and password of the administrative user can be customized and there will no longer be an initial admin user with a default password.
This provides much better secure defaults and makes it significantly less likely that attackers can get control of admin accounts in certain scenarios:
- They can no longer assume there is an account named
admin. - There is no longer a (short) time window during setup where you can compromise a hub with default credentials if it’s exposed on the network.
- It’s no longer possible to “forget” or otherwise leave Mission Portal in a bad and insecure state (misconfiguration).
In the future, we will expand on this, so upgrading users are also able to get rid of the default admin user.
New functions in policy language
We’re adding more utility functions to make policy language easier to use. Here are the 6 new ones added in 3.26.0:
Each of these were added based on feedback from users, to make the lives of policy writers better. If you have a suggestion for a new policy function, feel free to create an idea in GitHub Discussion, or a ticket in our bug tracker.
Analyze your current policy set and get help with upgrading
We’re making several improvements to our command line tools for installing CFEngine remotely (cf-remote) and managing CFEngine policy (cfbs).
One big new feature is the ability to analyze your current policy set, using cfbs analyze:
cfbs analyzePolicy set path: .
Reference version: 3.21.5
Files missing from the version:
└── controls/cf_monitord.cf
Files from the version but with modifications:
└── promises.cf
No files are from a different version.
Files not from any version (with both custom content and path):
└── services/my_policy.cfThis command highlights which version you’re on, what custom edits you’ve made and whether there are some files (outliers) not matching your version, indicating mistakes in previous upgrades.
With this information, it’s easier to upgrade to a new version of the masterfiles policy framework or migrate to a CFEngine Build project where masterfiles is a separate module from your custom policy.
Next, we’re working on functionality to automatically achieve this, using the data provided by cfbs analyze.
Read more about the new command in this blog post:
https://cfengine.com/blog/2025/introducing-cfbs-analyze-command/
Quickly connect with SSH to hosts saved in cf-remote
If you have a host named hub in cf-remote (a group named hub with one host) you can now easily connect to it with SSH:
cf-remote connect -H hubOpening a SSH command shell...
The authenticity of host '54.216.94.247 (54.216.94.247)' can't be established.
ED25519 key fingerprint is SHA256:xGx3IvoReyyIhz63OAHj3uhF/O+YVEaszgBpE2v4GOg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.216.94.247' (ED25519) to the list of known hosts.
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
[ec2-user@ip-172-31-44-225 ~]$There’s no longer a need for copy-pasting usernames and IP addresses, cf-remote can keep track of this for you.
(Host first needs to be spawned using cf-remote spawn or saved using cf-remote save).
Frequent releases to command line tools
We release new versions of these convenience tools much more frequently than the CFEngine 6-month release cycle. You can stay up to date with these projects and new features in each version on GitHub:
https://github.com/cfengine/cfbs/releases
https://github.com/cfengine/cf-remote/releases
Features from 3.25.0
The upcoming 3.27.0 LTS release will include all features from 3.25.0 and 3.26.0. See the blog post below, if you haven’t already checked out audit logs and the other features in CFEngine 3.25.0:
https://cfengine.com/blog/2025/cfengine-3-25-released-auditability/
Changelogs
As always, you can see a full list of changes and improvements in our changelogs:
- 3.26.0 Changelog for CFEngine Community
- 3.26.0 Changelog for CFEngine Enterprise
- 3.26.0 Changelog for Masterfiles Policy Framework
Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
Dependency updates
Compared to 3.25.0, these dependencies have been updated:
| CFEngine version | 3.25.0 | 3.26.0 |
|---|---|---|
| Apache | 2.4.62 | 2.4.63 |
| diffutils | 3.10 | 3.12 |
| Git | 2.47.1 | 2.49.0 |
| libcurl | 8.11.1 | 8.13.0 |
| libcurl-hub | 8.11.1 | 8.13.0 |
| libexpat | 2.6.3 | 2.7.1 |
| libiconv | 1.17 | 1.18 |
| libxml2 | 2.13.5 | 2.14.3 |
| OpenSSL | 3.4.0 | 3.5.0 |
| PCRE2 | 10.44 | 10.45 |
| PHP | 8.3.15 | 8.4.7 |
| PostgreSQL | 17.2 | 17.5 |
| rsync | 3.3.0 | 3.4.1 |
| leech | - | 0.1.24 |
| nghttp2 | - | 1.65.0 |
Thank you to all the developers and maintainers of Open Source Software which make CFEngine possible!
Downloads
CFEngine Enterprise is free for up to 25 hosts, click here to go to the download pages with new packages.
If you are using cf-remote, you can specify version to install with the --version option:
cf-remote --version 3.26.0 install --hub hub --bootstrap hubSecurity vulnerabilities, breaking changes, and known issues
We’d like to highlight a few useful resources to all our users.
When we discover and fix security issues in CFEngine, these are published as CVEs. Use the cve tag on our blog to stay up to date with these announcements:
https://cfengine.com/tags/cve/
Similarly, when we have to change the behavior of CFEngine and its policy language in ways that could be considered breaking, we publish a change-in-behavior blog post:
https://cfengine.com/tags/change-in-behavior/
(This is generally something we avoid, and so the examples of that are usually around unintended / accidental behavior, or making more explicit / strict safe defaults for things which could relate to security or safe / predictable behavior).
Lastly, our documentation has a known issues page:
https://docs.cfengine.com/docs/master/release-notes-known-issues.html
(Here is a permalink to the 3.25 version of that page).
At the time of writing, there is one known issue for 3.26.0, preventing the hub package to install successfully on Ubuntu hosts, when using cf-remote.
We recommend our users to use these resources to stay up to date on notable changes and issues.
Contributions
We encourage all of our users to get involved in the community and contribute. Feel free to use one of the following avenues:
- Ask for help, share an idea, or start a discussion on GitHub Discussions
- Contribute modules to CFEngine Build
- Look through our curated list of issues for new contributors
- Improve the documentation by fixing typos, adding examples, or explaining things you found difficult
- Browse the code or submit a pull request through GitHub
- Submit a bug report or feature request in our issue tracker
