Release date 2026/07/07
Bugfix
-
Fixed an issue where the ACL plugin returned a 403 error for authenticated credentials with no consumer and no groups (e.g. ACE / Dev Portal application credentials) when configured with a deny list. A group-less identity cannot match a deny list and should be allowed through.
-
Fixed an issue where the ACL plugin ignored a consumer’s ACL groups when
include_consumer_groupswas enabled and the consumer belonged to an enterprise consumer group, causing incorrect 403 denials (withallow) or incorrect access (withdeny) for authenticated and anonymous consumers. The plugin now falls back to the consumer’s ACL groups when no third-party authenticated groups are present.