What's new in HiveMQ Edge 2026.3

Our third release of the year brings significant improvements for enterprise security support in HiveMQ Edge. Role-based access is now natively available for the API and Console. We also extended our LDAP support to include the base-dn option when configuring authentication.

Role-Based Access

Role-Based Access is now available in HiveMQ Edge for accessing the Console and API endpoint.

What It Is

HiveMQ Edge now ships with three built-in roles that control what authenticated users can do in the UI and via the REST API:

• user: Read-only access to data and configuration
• super: Everything above, plus start/stop/restart of protocol adapters and bridges
• admin: Full access, create, update, and delete configuration

Regardless of role, all users can access the home page, authentication endpoints, and liveness and health checks.

How It Works

Roles are assigned dynamically based on LDAP group membership. Administrators configure a set of role/query pairs () in the LDAP authentication section of config.xml. When a user logs in, HiveMQ Edge evaluates LDAP search filters to determine which groups the user belongs to and assigns the corresponding role.

This makes it straightforward to map your existing directory structure — such as an Active Directory — directly to Edge permissions, without managing a separate user database.

Role enforcement can be toggled with the enforce-api-auth configuration flag (default: true). Set it to false to disable role checks while keeping authentication active.

Improved LDAP Directory Configuration with base-dn

What It Is

A new optional element has been added to the config.xml LDAP configuration. Previously, users, groups, and service accounts all had to share a common node in the LDAP directory tree, which created friction for organisations with more complex directory layouts.

With base-dn, the search root and the service account used for queries are both resolved relative to the base distinguished name, allowing them to reside in completely different branches of the directory tree.

How It Works

The field is fully optional. If omitted, behaviour is identical to previous versions, ensuring an uninterrupted upgrade experience for existing deployments.

Example Configuration

The following config.xml snippet shows LDAP authentication with base-dn and role mapping configured together:

    <admin-api>
  <enabled>true</enabled>
  <listeners>
      <http-listener>
          <port>8080</port>
          <bind-address>0.0.0.0</bind-address>
      </http-listener>
  </listeners>
  <ldap>
      <servers>
          <ldap-server>
              <host>ldap.example.com</host>
              <port>636</port>
          </ldap-server>
      </servers>
      <tls-mode>LDAPS</tls-mode>
      <simple-bind>
          <rdns>cn=admin,ou=people</rdns>
          <userPassword>secret</userPassword>
      </simple-bind>
      <uid-attribute>uid</uid-attribute>
      <rdns>ou=people</rdns>
      <base-dn>dc=example,dc=org</base-dn>
      <user-roles>
          <user-role>
              <role>admin</role>
              <query>(&amp;(entryDN={userDn})(memberOf=CN=EdgeAdmins,ou=groups,dc=example,dc=org))</query>
          </user-role>
          <user-role>
              <role>user</role>
              <query>(&amp;(entryDN={userDn})(memberOf=CN=EdgeUsers,ou=groups,dc=example,dc=org))</query>
          </user-role>
      </user-roles>
  </ldap>
</admin-api>
  

Data Hub 3.1.0

HiveMQ Edge 2026.3 ships with Data Hub 3.1.0 — a major upgrade to the data transformation engine at the heart of Edge's payload processing pipeline.

The embedded JavaScript runtime has been rebuilt on top of the SWC compiler toolchain, a production-grade Rust-based ECMAScript parser that catches malformed scripts before they ever reach the V8 engine. Combined with the upgrade to Javet 5, transform execution is faster, memory-bounded, and resilient to runaway scripts.

Policies that only perform schema validation — no JavaScript — no longer allocate a V8 engine at all, eliminating unnecessary resource contention and delivering higher throughput for pure validation workloads.

Additional Improvements

Bug Fixes

• Fixed a race condition in the MQTT bridge client where overlapping start/stop transitions could corrupt internal state or leave callers waiting indefinitely

Improvements

• Changed the HiveMQ Docker base image to Ubuntu Noble, for increased frequency of CVE maintenance

Advance Notice

Starting April 2026, HiveMQ Edge will be compiled with Java v25 (class file 69) as target.

This means that Java 25 (or a compatible JDK 25 distribution) will be required to run HiveMQ Edge going forward. Java 25 is a Long-Term Support release, making it a solid foundation for enterprise deployments. For Edge's container distribution, JDK 25 is already the Java Runtime Environment since 2026.2. Note that Java 21 — the previous LTS — reaches the end of permissive licensing in September 2026, so planning the upgrade now avoids last-minute disruption. We encourage users who provide their own runtime environment to plan their JDK upgrades accordingly ahead of the April release.

The move to Java 25 brings meaningful improvements to how HiveMQ Edge handles concurrent workloads. Virtual threads — introduced in Java 21 — are now fully supported, and structured concurrency and scoped values — finalized in Java 25 — make the internal management of concurrent tasks safer and more predictable. Together, these improvements allow HiveMQ Edge to handle more connections with lower resource overhead and lay the groundwork for further performance and reliability improvements in future releases.

Get Started Today

Use the download link Get HiveMQ Edge 2026.3, or find us on GitHub and Docker:

Get started by running

    docker run --name hivemq-edge --pull=always -d -p 1883:1883 -p 8080:8080 hivemq/hivemq-edge
  

Or clone our repository

    git clone git@github.com:hivemq/hivemq-edge.git
  

You may also try out our Helm Chart

    helm repo add hivemq https://hivemq.github.io/helm-charts && helm repo update