OneSpan Cloud Authentication May Release – 26.R2

For calls to create and/or update users, a new validation will be introduced for the USERFLD_EMAIL and USERFLD_MOBILE fields. Currently, the Authentication component is returning status code 200 HTTP status OK (RET_SUCCESS/STAT_SUCCESS) when the user’s email address or phone number is invalid. Once the new validation, implemented in the Authentication component, is integrated in OneSpan Cloud Authentication, these user data will be strictly validated, and the following applies whenever you create or update user accounts:

If the format of the user’s email address and/or phone number is invalid, the Authentication component will be returning the 400 HTTP bad request (RET_FAILURE/STAT_INVDATA) error messages.

This affects the following endpoints:

• PUT /users/{userID@domain}

• PATCH /users/{userID@domain}

Existing user info fields are kept as is and are only revalidated when you attempt to update them.

Orchestration error handling with the POST /orchestration-commands endpoint is deprecated and will be removed in version 26.R3 in Q3 of 2026.

Description: In FIDO2-based authentication operations, OneSpan Cloud Authentication returned an incorrect error,  500 Internal Server Error: "Data cannot be retrieved from external service". This occurred when the tenant configuration was missing or had a relying party configured that did not exist.

Status: This issue has been fixed, OneSpan Cloud Authentication now correctly returns the 409 operation failed error.

Description: In version 25.R2, the internal timeout for the database was reduced to 5 seconds. This would occasionally result incorrectly in a 500 Internal error, sub service failure, server crash error response.

Status: In version 26.R1, a first set of endpoints have been updated. Now, another set has been updated. For the following endpoints, if the database runs into a timeout, Intelligent Adaptive Authentication now returns the 504 Gateway timeout HTTP status code.

• All endpoints of the Authenticators API

• All endpoints of the Users API

• Bulkfile Upload:

  • POST /bulkfiles

  • GET /bulkfiles/{uuid}

• Provisioning:

  • POST /registrations

  • POST /registrations/check-status

  • POST /registrations/{registrationID}/activate

  • POST /registrations/{registrationID}/add-device

  • POST /registrations/{registrationID}/generate-ephemeral-key

  • POST /registrations/{registrationID}/generate-activation-message

  • POST /users/register

  • POST /users/{userID@domain}/authenticators/{serialNumber}/update-pnid

• Transactions:

  • POST /users/{userID@domain}/transactions/validate

• Users:

  • POST /users/register

  • POST /users/{userID@domain}/generate-secure-challenge

  • POST /users/{userID@domain}/generate-signing-request

  • POST /users/{userID@domain}/transactions/validate

  • POST /users/{userID@domain}/sync-authenticator

  • POST /users/{userID@domain}/authenticators/{serialNumber}/update-pnid

  • POST /users/{userID@domain}/generate-virtual-signature

• Sessions:

  • GET /sessions/{requestID}

For a detailed list of fixed vulnerabilities, see the relevant Knowledge Base article(s) in our Customer Support Portal.

Description: The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the number data type, and if the transaction amount is large. In this case, the endpoint should return the error message Invalid value type, because the transaction amount field was provided as a number and not as a string. Instead, it returns the incorrect error message Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,.

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a string. Ensure that the value in the JSON request body is wrapped in double quotes.