Back ||
v2026.4.0

April 29th 2026

Release Notes - v2026.4.0

Collection-level Scripts, SMTP OAuth2, Security Patches and more! 🚀

New Features
Improvements

Highlights

  • Collection-level Pre-request and Test Scripts: Attach pre-request and test scripts directly to collections — scripts run automatically for every request in the collection, so you no longer need to duplicate auth setup or assertion logic across individual requests.



  • API Documentation UX Improvements: The API documentation experience has been refined with a cleaner layout and improved interaction patterns, making it easier to publish and navigate your docs.



  • SMTP OAuth2 Authentication (Self-Hosted): Self-hosted instances can now authenticate with SMTP servers using OAuth2, enabling modern mail providers like Gmail and Microsoft 365 to work out of the box.



  • Desktop Settings: The desktop app now has a dedicated settings foundation with manual update checks and the option to disable automatic update checks at startup, giving you more control over when updates are applied.



  • Security Patches: This release includes a threat model and policy update alongside a patch for CVE-2026-31812 (quinn-proto bump to 0.11.14) and follow-up hardening across the platform.



This update includes new features and important security fixes. Your data will be backed up automatically. If needed, see Downgrading and Restoring Backups.


👉 Read the full release blog


Added
  • Collection-level pre-request and test scripts
  • Set domain URL as mock server environment variable
  • Option to customize web server timeouts
  • SMTP OAuth2 authentication support for self-hosted instances
  • Redis storage backend for rate limiting (self-hosted)
  • Stateless OAuth2 state store with stateless OAuth for SAML and OIDC (self-hosted)
  • Desktop Settings infrastructure with manual update check
  • Option to disable automatic update check at startup (desktop)
Fixed
  • Improved API documentation UX
  • Platform default proxy URL is now applied on load and reset (self-hosted)
  • OTEL field update is skipped when observability is disabled (self-hosted)
  • Login divider is now hidden conditionally (self-hosted)
  • Fixed authorization code flow failing with Google OAuth
  • Fixed environment tooltip overflow on hover
  • Fixed environment validation when publishing API docs
  • Fixed org auth timeout and state leak on desktop
  • Updated security threat model and policy
  • Patched CVE-2026-31812 by bumping quinn-proto to 0.11.14
  • Applied security patch follow-up hardening