Fides 2.89.0 release notes
- 2.89.0: July 7, 2026
The Enterprise tag indicates that features are only available for Enterprise customers. To review pricing and upgrade your plan, please visit our site (opens in a new tab) or contact us to learn more.
Helios
Detect and classify global data risks with comprehensive visualization for data mapping and reporting for modern Enterprise.
- Bulk-Categorize Discovered Fields: You can now apply Fideslang data categories to many discovered fields at once. The Schema Explorer gains a bulk Label action that assigns one or more categories to every selected field and marks them reviewed, and the discovery monitor's filtered field actions gain a bulk assign-categories action that categorizes all filtered fields in a single call (passing an empty list clears categories instead).
- Assign Data Stewards to Infrastructure-Discovered Applications: You can now assign data stewards to discovered applications from infrastructure monitors within the Action Center.
- Website Monitor Is Now a Core Feature: The website monitor is always on; its feature flag has been removed. Website connector test connections now use the monitor service's browser-based probe when configured, which eliminates false failures on WAF-protected sites and falls back to a direct request when no monitor is configured.
- Bug Fixes:
- Fields whose LLM classification errored are now marked as classification errors instead of being silently dropped and left stuck in the "classifying" state.
- IDP monitor classification no longer holds a database session across Compass and LLM calls, and it persists classification plus enrichment in a single atomic commit, so concurrent edits to staged resources are no longer overwritten.
Lethe
Enterprise grade privacy request management and processing with a single orchestration layer for DSRs across vendors and systems
- Edit DSR Policy Rules From the UI: You can now add and remove DSR policy rules and view and edit each rule's target data categories and masking strategy directly from the policy detail page, without editing configuration by hand.
- Manual-Only Request Types: Correction, restrict-processing, automated-decision, and complaint request types can now be fulfilled entirely through manual task integrations, bypassing the automated DAG for request types that are handled by people rather than connectors.
- Circuit Breaker for Async Polling Connectors: Async-polling DSR sub-requests now support a
max_consecutive_failurescircuit breaker, so a repeatedly failing polling connector trips out instead of retrying indefinitely. Includes a database migration. - Adobe Commerce Erasure: The Adobe Commerce (Magento) connector now supports erasure requests in addition to access.
- More Precise Access-Package Redaction: Nested fields in a DSR access package are now filtered by their own most-specific data category rather than inheriting only a parent's, so data-category-scoped policies redact nested data correctly.
- Durable DSR Encryption Keys: The DSR encryption key is now stored in Postgres instead of Redis for durability, with lazy backfill from Redis for pre-existing requests. Includes a database migration.
- Erasure Correctness and Reliability Fixes: A batch of fixes hardens erasure and DSR execution.
- Redshift, MySQL, MariaDB, and Google Cloud SQL for MySQL DSRs no longer fail when a table or field name uses a SQL reserved word.
- Unannotated fields are no longer silently skipped during non-null erasure; the data type is inferred from the field's actual value.
- A missing masking secret for the hash, HMAC, or AES strategies now raises a clear error instead of crashing mid-erasure.
- Concurrent task dispatch can no longer overwrite a failure cascade's error status or leave a descendant task in an inconsistent state, thanks to row locking on the cascade.
- Stripe
payment_method_detacherasure works again after restoring the read step that establishes a valid DSR graph edge.
- Performance: Redacting fields on large access packages is faster, oversized previews now fail cleanly instead of risking out-of-memory, and async-polling aggregation no longer double-fetches from S3 or doubles peak memory.
- Temporal DSR Engine (Preview): A new Temporal-based DSR execution engine ships behind the
use_temporal_workflow_engineflag (default off — the Celery path is unchanged), including a side-effect-free shadow mode for validating the engine against production traffic without writing real data. This release lays the database and shadow-table foundation; the engine is inert until enabled. Includes database migrations. - California Privacy DROP Connector (Foundation): This release lays the groundwork for the California Privacy DROP connector — core Fides hooks, connector schema, service layer, audit helpers, SQLAlchemy models (drop cycle, suppression ledger, audit log), and PBAC scopes. Includes database migrations.
- Bug Fixes:
- A privacy request's status is cleared from
requires_inputas soon as a manual task is completed; status derivation accounts for manual task state, runs synchronously under a row lock, and the interrupted-task watchdog now requeues completed manual tasks correctly. - The Request Manager no longer labels identities on authenticated privacy requests as "Unverified."
- Identity verification emails can no longer be silently disabled by messaging toggles, and receipt emails are blocked for unverified privacy requests.
- The Complete Task modal uses the configured field name as its label instead of a hardcoded "Subject data."
- Iterable access requests now use the GDPR-recommended endpoints, and the
user_eventsdataset was expanded to include all fields from the actual API response.
- A privacy request's status is cleared from
Janus
High performance consent recording and orchestration for data sharing, built for enterprise data engineering and AI pipelines.
- Custom Fields on the Consent Form: The fides.js Consent Form now supports custom field types. You can add custom fields to the Consent Form opt-out action in the Privacy Center form builder (limited to the field types the consent overlay can render), preview them in the experience editor, and they are embedded in the consent_form experience response and delivered to the SDK. A default Consent Form privacy experience is now seeded for California.
- Attach an External User ID From Your Mobile App: The Janus mobile SDK now exposes
setExternalId()on iOS, Android, and Flutter, letting apps attach an app-defined external identifier to consent and notices-served calls for DSR correlation and multi-device consent merging. - Faster, More Resilient v3 Consent Reads: The v3 privacy-preferences read endpoints gain an opt-in fail-fast request timeout and clean client-disconnect handling, so slow or abandoned consent-preference reads shed load instead of piling up on the server.
- Event-Loop Lag Monitoring: An opt-in monitor logs slow or stalled asyncio loops, making event-loop contention easy to spot under high-throughput consent traffic.
- Bug Fixes:
- The TCF version hash now re-establishes consent when new vendors and purposes are added.
- SDK-initiated consent saves now record the caller-supplied
request_origin(for exampleapi) instead of falling back to the experience component type; the value is no longer dropped by the preferences Celery task. - Consent form translation validation now matches the required fields shown in the UI.
- The icon field is optional for opt-out (Janus overlay) policy actions in the Privacy Center config, which never render an icon.
Astralis
Real-time data access, usage, and retention policy enforcement across your infrastructure. Astralis embeds governance directly into data pipelines and AI workflows, preventing misuse before it happens and generating an always-on audit trail for regulatory and AI governance.
- Privacy Assessment Lifecycle and Sign-Off: Privacy assessments now follow one canonical workflow state with an explicit approval gate — approved, conditionally approved, or rejected — plus editable reviewer notes and a step-based review flow. Gated by the
privacyAssessmentsfeature flag (off in production by default). Includes database migrations. - AI-Generated Risk and Mitigations: Assessments now generate risk and mitigation blocks in the background once an assessment is fully answered, refreshing them when answers change and surfacing them in the assessment detail view. Risk level is surfaced from a canonical column with a fallback to the AI-generated value. Gated by the
privacyAssessmentsfeature flag (off in production by default). Includes a database migration. - MCP Server With OAuth Login: Fides now ships an MCP (Model Context Protocol) server with browser-based OAuth 2.0 login, so AI clients can authenticate using Fides credentials through the standard OAuth flow.
- Astralis Works Out of the Box: A default fides chat provider is auto-provisioned on startup so Astralis assessment and questionnaire features work without manual configuration.
- Bug Fixes:
- Assessment review copy is now provider-aware, answer-source chips are viewer-aware, and a broken questionnaire link was removed.
Integrations
- Adobe Commerce Erasure: Erasure support added to the Adobe Commerce (Magento) connector.
- Iterable GDPR Endpoints: The Iterable integration now uses the GDPR-recommended endpoints for access requests.
- More Connectors in the Integrations Tab: MongoDB, MariaDB, Redshift, TimescaleDB, and several email connectors (Attentive, Generic Consent/Erasure, Dynamic Erasure, Sovrn) are now available from the integrations tab. A bidirectional consent tab, a test datasets page, and an upload button were also added to integrations.
Fides core
- Self-Service Email Verification for Admins: Admin users can now verify their own email. Unverified users see a top banner with a "verify your email" call to action and a matching action on their profile page beside the "Not verified" tag, so they can re-send the verification email without relying on the dismissible banner. The verification request endpoint is rate-limited per user to prevent spamming, and the banner no longer wrongly re-appears after a user verifies. Includes a database migration.
- Username and Password Login Configuration on the User Page: Username and password login configuration now appears on the user page.
- Clearer Database Health Reporting:
GET /health/databasenow returns 200 (not 503) when the database is reachable but its Alembic revision differs from the running build, and reports a database migrated by a newer build with a newcode behind databasestatus. A 503 is reserved for an unreachable database. - Advanced RBAC Drift Backfill: A startup backfill seeds any missing scopes, roles, and permissions, backfills legacy user role assignments, and adds drift tests that keep RBAC in sync with the scope registry. Includes a database migration.
- Bug Fixes:
- Form Builder field ordering is now persisted and respected when rendering forms in the Privacy Center and the fides.js consent form, and field types are synced across the backend, form builder, and Privacy Center. Inline validation and clearer error messages were added to the form builder.
- Switching systems via the Cmd+K switcher resets the configure form so it no longer retains the previous system's data, and a system group selected during initial creation is now persisted on the first save.
- Guarded modals no longer show a spurious unsaved-changes prompt when dismissed during their close animation, and the same false prompt no longer appears when saving a system and switching tabs quickly.
- The OAuth SaaS authorize flow no longer strands users on a raw API page — the no-referrer header that blanked the Referer across the session was removed.
- Consent requests no longer return a 500 when identity verification is disabled for consent but a request is submitted without an email.
- The delete chat provider modal now names the correct provider.
- The "Add system" modal submit button and the file-type validator in the Privacy Center (which compared MIME types to extensions) are fixed.
- Ant Design Migration: Continued migration of admin-ui forms and tables from Chakra UI and Formik to Ant Design (redaction patterns, SSO/OpenID, OAuth API client, bidirectional consent forms, the "Add multiple systems" table, and remaining monitor-configuration tables), and the now-unused
formikandyupdependencies were dropped.
Security
- Endpoint Authentication Enforcement: A new
@public_endpointdecorator and startup validation enforce that every API endpoint either requires authentication or is explicitly marked as intentionally public. - Dependency and Image Remediations: Bumped
paramikoto 5.0.0 (replacing the unmaintainedsshtunnelwithfabricfor SSH bastion tunneling, CVE-2026-44405),aiohttpto 3.14.1 (clearing 11 CVEs),starletteto 1.3.1 (CVE-2026-54283, CVE-2026-54282), and Tornado to 6.5.7, remediated the June 2026 OpenSSL advisory in the image and base image, and removed pymssql's statically bundled end-of-life OpenSSL 1.1.1k by source-building pymssql against system FreeTDS/OpenSSL 3.
Database schema & data changes
- This release includes multiple database migrations. Notable ones: the Temporal DSR engine foundation (shadow tables,
requesttask.attempt_token/next_poll_at,privacyrequest.is_shadow, cancelled execution-log status), Postgres-backed DSR encryption key storage, the async-polling circuit breaker, the privacy assessment lifecycle and AI risk blocks, the California Privacy DROP connector models, advanced-RBAC drift backfill, self-service email verification, and the DSR failure-cascade downgrade fix.
Notes
- The website monitor is now a core, always-on feature — the
webMonitorfeature flag has been removed. GET /health/databasebehavior changed: an Alembic revision mismatch on a reachable database now returns 200 (with a status indicating the drift direction) instead of 503; 503 now means the database is unreachable.