Version: v3.5.x LTS
Version 3.5.0 (May 2026)
Twitter
LinkedIn
Facebook
EmailVersion 3.5.0 (May 2026)
Welcome to the Zowe Version 3.5.0 release!
See New features and enhancements for a full list of changes to the functionality. See Bug fixes for a list of issues addressed in this release.
Download v3.5.0 build: Want to try new features as soon as possible? You can download the v3.5.0 build from Zowe.org.
New features and enhancements​
Zowe Version 3.5.0 contains the enhancements that are described in the following topics.
Zowe installation and packaging​
- Startup now checks each Zowe server for if ATTLS rules are defined and warns if any misconfiguration is identified to assist with TLS configuration. (#4741)
- Users can now specify client certificates within the
zowe.certificatesection. (#4687) zwe initno longer creates certificates by default. Usezwe init --create-certificateorzwe init certificateafter defining the "zowe.setup.certificate" section of the YAML. You can use the examples provided withinzowe/files/examples/setup/certificate. (#4238)- Subcommands for
zwe componentsinstall now include dry-run options to guide you through each step of component installation. (#4582) - Added command
zwe validate certificatewhich checks Zowe's keystore and truststore and reports action items to resolve any issues found. This is run automatically every Zowe setup but that can be changed via the parameterzowe.launchScript.startupChecks.certificate, which can be changed to "warn" to warn only, or "disabled" to bypass the check. (#4554) zwe versionnow supports displaying Zowe version defined in the configuration. (#4322)- Superuser (UID=0) check of
ZWESVUSRhas been added. (#4693) - A utility has been added to toggle comments in provided YAML examples. #4689
- The
zwe config getcommand now uses the new--formatoption to format the output. (#4591) - Added command
zwe validate componentswhich can be used to check if a component in the YAML exists. (#4700) - Added command
zwe validate dependencieswhich can be used to validate that Zowe is using supported versions of dependencies such as node and java. The behavior of these checks can be customized via YAML propertieszowe.launchScript.startupChecks.javaandzowe.launchScript.startupChecks.node. (#4713) - When debug for service
ZWELSis enabled,zwe internal start preparenow prints the output ofulimit -Haandulimit -a. (#4751)
Zowe Application Framework​
zlux-server-framework​
- Improved SSH connection performance restoring use of Node.js built-in Diffie-Hellman logic. (#669)
- The app-server can now use separate certificates for inbound server TLS and outbound client TLS connections. When
zowe.certificate.keystore.clientCertificateAlias(keyring) or bothzowe.certificate.pem.clientCertificateandzowe.certificate.pem.clientKey(PEM) are defined, those are used for all outbound client connections while the main certificate is used only for serving HTTPS. When not defined, behavior is unchanged. (#674) - Improved TLS options:
getTlsOptions()now returns client TLS options by default, whilegetServerTlsOptions()explicitly returns server TLS options. (#674) (#669)
zlux-app-server​
- App-server startup no longer runs certificate validation as that has been migrated to the zwe launcher startup process to work for all components. (#364)
- Enhancement: App-server now supports separate server and client TLS certificates. Define
zowe.certificate.keystore.clientCertificateAlias(for keyrings) orzowe.certificate.pem.clientCertificateandzowe.certificate.pem.clientKey(for PEM files) to use a dedicated client certificate for all outbound connections. The main certificate continues to be used for serving HTTPS. When not defined, the existing certificate is used for both as before. (#365) (#364)
zowe-common-c​
TlsSettingsnow supports aclientLabelfield. When set,tlsSocketInituses this label for outbound (client) TLS connections instead oflabel, allowing a separate certificate with a client-only EKU to be used. WhenclientLabelis NULL,labelcontinues to be used for both server and client connections as before. (#591)- Moved to later version of
quickjs. (#573) - configmgr validation errors now use dot-formatted paths and can detect if a property that's unknown is likely to be at the wrong level of indentation (#577)
- File API now returns the boolean "symlink" to state if a file is a symbolic link or not. (#579)
- File API now includes the target path of a symlink in the field "symlinkTarget". (#580)
- File API's "directory" value for symlinks now corresponds to whether the target is a directory or not. (#580)
zss​
- The utility
attls-testcan be used to check if an ATTLS policy exists at a specific connection. (813) - ZSS now supports a dedicated client certificate for outbound TLS connections. When
zowe.certificate.keystore.clientCertificateAliasis set, that certificate is used for client-side connections (e.g. to the APIML Caching Service and JWK endpoint) while the existingzowe.certificate.keystore.aliascontinues to be used as the server certificate. WhenclientCertificateAliasis absent, the existing single-certificate behaviour is preserved for backward compatibility. (#821)
zlux-editor​
- Added configurable file/dataset size limit (default 50MB) with a warning dialog and user override option to prevent high memory and CPU usage when opening very large files or datasets. (#372)
Zowe API Mediation Layer​
- Users can now configure client and server SSL separately. This change allows API ML to read configuration from the
apiml.service.sslsection with fallback to theserver.sllsection. (#4507) - Properties specifying "required", "additional", and "recommended" has been applied to base signals from API ML OpenTelemetry implementation with defaults. (#4456)
- The Apache license to nodejs and Python enablers has been added. (#4500)
- JVM parameters are now read from the zowe.yaml. (#4485)
- Binding on multiple network interfaces is now supported. Each service can now define a list in configuration value
server.address. (#4457)
Required API ML Property Validation
Using the following table, validate that each of the listed properties are either empty or follow the specified patterns:
| Property | Service/Config | Validation Type | Risk Description |
|---|---|---|---|
| SSL protocol | All services | Pattern | Must match ^TLSv\d+(\.\d+)?(,TLSv\d+(\.\d+)?)*$ |
| URL fields | All services | Pattern | Must match ^(https?):\/ or https?://[^\s,]+ |
| Active profiles | All services | Pattern | Must match ^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$ |
| Allowed users | All services | Pattern | Must match ^[*]? |
| Logo files | All services | Pattern | Must match `^.*\.(svg |
| Custom docLink | All services | Pattern | Must match `^[^ |
| logging.config | All services | Length constraint | Path limited to 1-1024 characters |
| apiml.security.authorization.endpoint.url | APIML | URL pattern | Must be valid URL format |
| apiml.security.x509.certificatesUrl | APIML/ZAAS | URL pattern | DEPRECATED - Must be valid URL format |
| apiml.security.x509.externalMapperUrl | APIML/ZAAS | URL pattern | Must be valid URL format |
| apiml.security.x509.registry.allowedUsers | APIML/ZAAS | Pattern | Must match user list pattern |
| apiml.security.oidc.identityMapperUrl | APIML/ZAAS | URL pattern | DEPRECATED - Must be valid URL format |
| apiml.security.oidc.jwks.uri | APIML/ZAAS | URL pattern | Must be valid URL format |
| apiml.security.oidc.userInfo.uri | APIML/ZAAS | URL pattern | Must be valid URL format |
| apiml.security.saf.urls.authenticate | APIML/ZAAS | URL pattern | Must be valid URL format |
| apiml.security.saf.urls.verify | APIML/ZAAS | URL pattern | Must be valid URL format |
| apiml.service.corsAllowedMethods | APIML | Pattern | Must be comma-separated HTTP methods |
| apiml.service.ssl.enabled-protocols | APIML | Pattern | Must match TLS version pattern |
| apiml.service.ssl.ciphers | APIML | Free-form | No pattern, but may need review |
| apiml.gateway.registry.metadataKeyAllowList | Gateway | Pattern | Must be comma-separated list |
| apiml.apiml.catalog.customStyle.logo | API Catalog | Pattern | Must be image file path |
| apiml.apiml.catalog.customStyle.docLink | API Catalog | Pattern | Must match "text|url" format |
Zowe CLI​
Zowe CLI (Core)​
- Added
certAccountoption to z/OSMF profile type to support client certificate authentication using certificates stored in system keystores (macOS Keychain or Windows Certificate Store). This enables secure authentication with both exportable and non-exportable private keys on macOS and Windows platforms. (#2325) - Enhanced the
zowe zos-files upload file-to-usscommand to support uploading a file to a USS directory using its original filename when the target is a directory (similar to UNIX cp). Added the--make-directoriesoption to automatically create missing target directories and the--skip-directory-checkoption to skip checking if the target path is a directory during upload. (#2686) - Added
--execflag tozosussfor faster command execution. Exec mode bypasses shell initialization and profile loading, providing a performance improvement. Shell mode remains the default for backward compatibility. (#2687)
Zowe CLI Imperative Framework​
- Added support for client certificate authentication using certificates stored in system keystores. Added
certAccountprofile property to specify certificate subject name for authentication. Implemented cross-platform native HTTPS clients (macOS and Windows) that support certificate-based authentication with both exportable and non-exportable private keys. UpdatedAbstractRestClientto use native HTTPS clients whencertAccountis specified on macOS or Windows platforms. (#2325) - Added a
Queueutility to create and manage the processing ofPromisequeues. (#2543) - Added a
requestQueuegetter to theAbstractRestClientabstract class to allow extenders to create and manage a queue of REST requests to help prevent server overload. (#2543) - Added handling for
requestQueuequeue object to theAbstractRestClientabstract class'srequestfunction, if therequestQueueobject is present. (#2543)- If a
requestQueueis not present, no queuing is performed. - If a
requestQueueis present, the request is added to the queue.
- If a
- Added an optional
scrtDataobject to the ISession interface for a Session object. ThescrtDatais transmitted as a new HTTP header namedZowe-SCRT-client-featureto the targeted REST service. (#2678) - Updated configuration files to support environment variables in
$VARIABLEand${VARIABLE}formats. (#2672)- Properties that contain a valid environment variable cannot be set or changed with the
Config.setfunction. They can only be updated in an editor. - Properties that map to an unset environment variable are treated as a literal string.
- Properties that contain a valid environment variable cannot be set or changed with the
CICS Plug-in for Zowe CLI​
Zowe Explorer​
warning
This is the last release of Zowe Explorer that supports VS Code 1.90. Starting with the next minor release (Zowe v3.6), Zowe Explorer will require VS Code 1.101 or higher. This change ensures you are running on Node.js 22, as Node.js 20 reached its End of Life (EOL) on April 30, 2026, and is no longer receiving security fixes.
Zowe Explorer (Core)​
- See the Zowe Explorer changelog for updates included in this release.
Zowe Explorer API​
- See the Zowe Explorer API changelog for updates included in this release.
Zowe Explorer for IBM z/OS FTP​
- See the Zowe® Explorer for IBM® z/OS® FTP changelog for updates included in this release.
Zowe Explorer ESLint Plug-in​
- See the Zowe Explorer ESLint Plug-in changelog for updates included in this release.
Bug fixes​
Zowe Version 3.5.0 contains the bug fixes that are described in the following topics.
Zowe installation and packaging​
- Corrected the ACF2 data set protection statement to use the proper security syntax for data set access. (#4769)
- Resolved a critical issue in
zwe init mvswhere a logic error could have caused the command to mistakenly attempt to delete an entire PARM library. (#4695) - Fixed the ACF2 key ring statement by replacing an incorrect keyword with the valid security parameter required for key ring identification. (#4671)
- Updated the
zwe config getcommand to ensure High Availability (HA) instance lookups are case-insensitive, preventing mismatches caused by capitalization. (#4609) - Fixed error preventing startup which reported that z/OSMF gateway configuration was invalid despite the gateway being disabled. (#4718)
- Repaired the
components.apiml.debugproperty for APIML Single-Service mode, ensuring debug logging now activates correctly for that deployment type. (#4540) - Standardized
zwe support verify-fingerprintsto produce consistent hashes across Java 17 and Java 21 by switching the hashing method from charset-dependent strings to raw bytes. (#4726)
Zowe Application Framework​
zlux-server-framework​
- Suppressed the misleading
ZWED0149Eerror message when AT-TLS is in use, as the message was being triggered incorrectly. (#633) - Corrected a configuration hierarchy issue where the global
zowe.network.client.tls.attlsproperty was incorrectly overriding the component-specificcomponents.app-server.zowe.network.client.tls.attlssetting. (#653)
zlux-app-server​
- Resolved a property conflict to ensure the App-server correctly respects the component-level
components.app-server.zowe.network.server.tls.attlssetting instead of being overridden by global parameters. (#357) - Improved SSH and Telnet port detection by adding error handling for cases where the system lacks the necessary permissions to query port status. (#356)
- Fixed a deployment issue where bundled App2app files and default pinned plugins were missing from the V3 desktop. These assets are now correctly deployed to both V2 and V3 environments. (#359)
zowe-common-c​
- Set IO error flag in
jsonConvertAndWriteBuffer()when character conversion or write operations fail, allowing callers to detect and stop processing early. (#590) - Formatted schema validation errors for "enumerate" types to ensure that error messages clearly display valid options when a validation failure occurs. (#562)
- Fixed a typographical error in the cross-memory server's help text. (#565)
zlux-editor​
- Fixed duplicate language entries appearing in the editor toolbar language list when opening the editor multiple times in the same browser window. (#375)
- Fixed
fileDuplicateCheckerandcloseFilecomparingmonaco.Uriobjects against plain strings, which caused the editor to display stale file contents after closing and reopening files. (#382)
Zowe API Mediation Layer​
- Enabled API Catalog access with OIDC in single-service deployments. (#4536)
- Allowed empty values in the authorization provider setting. (#4585)
- Fixed the API ML startup message for HA scenarios. (#4582)
- Optimized routing by removing unnecessary Caching service calls for sticky session checks. (#4549)
- Updated start.sh and configuration scripts to correctly pass multiple bound IP addresses to the API Mediation Layer. (#4578)
- Improved single-service caches using Infinispan. (#4548)
- Enabled configuration of Infinispan storage segments to allow for a reduced number of index files. (#4521)
- Fixed propagation of the apiml.debug property in start.sh. (#4540)
- Improved debugging capabilities for JWTs. (#4516)
- Switched the default WebSocket client from Netty to Tomcat to resolve failures with rapid split-frame responses. (#4519
- Allowed VSAM details to be stored in the apiml and caching-service namespaces. (#4514)
- Added correct styling for Open API 3.1. (#4513)
- Added the default JDK DNS resolver. (#4496)
- Fixed schema validation in API ML components. (#4438)
- Added the Referrer header. (#4479)
- Improved troubleshooting by logging details of certificates ignored during API Layer client authentication through a new shared utility class. (#4415)
- Set JVM console encoding to IBM-1047 for Java 21. (#4482)
- Fixed Infinispan configuration, exception handling, and the overall cache operation. (v3) (#4450)
- Fixed Caching service stability for single-service deployment. (#4544)
Zowe CLI​
Zowe CLI (Core)​
- Updated the
lodashdependency to resolve technical currency. (#2709) - Updated the
brace-expansionandpicomatchdependencies to resolve technical currency. (#2705) - Updated the
flatteddependency to resolve technical currency. (#2702) - Updated the
tardependency to resolve technical currency. (#2696) - Updated the
minimatchdependency to resolve technical currency. (#2685) - Updated the
minimatchandtardependencies to resolve technical currency. (#2683)
Zowe CLI Imperative Framework​
- Removed text which is sometimes displayed by the
npm pack --dry-run --jsoncommand before its valid JSON output, thus avoiding a Zowe error stating that a plug-in cannot be installed. This problem occurs mostly in build pipelines. (#2713) - Increased the max buffer size of output for
npm packcommand run during plug-in installation. (#2708) - Fixed an issue on Windows where non-normalized drive letter casing caused configuration load failures. (#2699)
- Updated
flatteddependency for technical currency. (#2700) - Updated
markdown-itdependency for technical currency. (#2672) - Updated
diff2htmldependency for technical currency. (#2677)
DB2 Plug-in for Zowe CLI​
- Updated the
follow-redirectsdependency for technical currency. (#201) - Updated the
axios,brace-expansion, andminimatchdependencies for technical currency. (#199) - Updated the
axiosandlodashdependencies for technical currency. (#196)
Zowe Explorer​
warning
This is the last release of Zowe Explorer that supports VS Code 1.90. Starting with the next minor release (Zowe v3.6), Zowe Explorer will require VS Code 1.101 or higher. This change ensures you are running on Node.js 22, as Node.js 20 reached its End of Life (EOL) on April 30, 2026, and is no longer receiving security fixes.
Zowe Explorer (Core)​
- See the Zowe Explorer changelog for updates included in this release.
Zowe Explorer API​
- See the Zowe Explorer API changelog for updates included in this release.
Zowe Explorer for IBM z/OS FTP​
- See the Zowe® Explorer for IBM® z/OS® FTP changelog for updates included in this release.
Zowe Explorer ESLint Plug-in​
- See the Zowe Explorer ESLint Plug-in changelog for updates included in this release.
Vulnerabilities fixed​
Zowe discloses fixed vulnerabilities in a timely manner giving you sufficient time to plan your upgrades. Zowe does not disclose the vulnerabilities fixed in the latest release as we respect the need for at least 45 days to decide when and how you upgrade Zowe. When a new release is published, Zowe publishes the vulnerabilities fixed in the previous release. For more information about the Zowe security policy, see the Security page on the Zowe website.
The following security issues were fixed by the Zowe security group in version 3.4:
- BDSA-2025-5248
- BDSA-2025-6881
- BDSA-2025-7426
- CVE-2025-55163
- CVE-2025-58056 (BDSA-2025-10730)
- CVE-2025-58057 (BDSA-2025-10732)
- CVE-2025-55163 (BDSA-2025-8614)
- CVE-2025-58057
- BDSA-2024-10785
- BDSA-2025-8611
- BDSA-2025-11418