AWS parallelcluster high security documentation change
Summary
Added release notes for PCUI 2026.04.0 including security fixes
Security assessment
Explicitly documents fixes for security vulnerabilities: path traversal attacks, OS command injection in SSM, access token leaks in logs. Also includes dependency upgrades addressing potential security issues.
Diff
diff --git a/parallelcluster/latest/ug/document_history.md b/parallelcluster/latest/ug/document_history.md index f9ccbe39c..acc22efa9 100644 --- a//parallelcluster/latest/ug/document_history.md +++ b//parallelcluster/latest/ug/document_history.md @@ -1049,0 +1050,34 @@ PCUI Change | Description | Date +PCUI version 2026.04.0 released | PCUI version 2026.04.0 released Breaking changes: + + * Remove support for AWS ParallelCluster versions <= 3.5.0. + +Features: + + * Add support for managing multiple AWS ParallelCluster versions from a single PCUI deployment. + * Add support for PCUI in `us-gov-east-1` region. + +Bug fixes: + + * Fix an issue to ensure the OS options in the cluster creation wizard reflect the OSes supported by the selected AWS ParallelCluster version. + * Fix an issue to allow the PCUI to offer the full range of selectable instance types in the wizard. + * Improve the CloudFormation error message when the `Version` parameter is not specified. + +Security: + + * Mitigate the risk of path traversal attacks in the PCUI Lambda. + * Fix an OS command injection vulnerability in SSM SendCommand calls on cluster HeadNode. + * Fix a bug causing access tokens to leak into CloudWatch logs. + * Upgrade requests to version 2.33.1 (from 2.32.0). + * Upgrade cryptography to version 46.0.7 (from 44.0.1). + * Upgrade boto3 to version 1.42.91 (from 1.24.30). + * Upgrade urllib3 to version 2.6.3 (from 1.26.20). + * Upgrade ecdsa to version 0.19.2 (from 0.18.0). + * Upgrade certifi to version 2026.2.25 (from 2024.7.4). + * Upgrade flask-cors to version 6.0.2 (from 4.0.2). + * Upgrade python-jose to version 3.5.0 (from 3.4.0). + * Upgrade next to version 15.5.10 (from 14.2.26). + * Upgrade eslint-config-next to version 15.5.10 (from 14.0.4). + * Upgrade @babel/runtime to version 7.27.0 (from 7.23.5). + * Upgrade brace-expansion to version 1.1.12 (from 1.1.11). + +| April 30, 2026