emqx Files

Enhancements

Deployment

• #15813 Added package release for Debian 13 (Trixie), and updated Docker images to use Debian 13 as the base.

Core MQTT Functionalities

• #15773 Throttled client ID registration during reconnects.
• When a previous session cleanup is still in progress, new connections using the same client ID are now throttled. This prevents instability when clients reconnect aggressively.
• Affected clients receive reason code 137 (Server Busy) in the CONNACK with Reason-String "THROTTLED", and should retry after the cleanup completes.
• Fixed the reason code returned when another connection registers the same client ID; now correctly returns 137 instead of 133.

Observability

• #15499 Added a force deactivate alarm API endpoint to allow administrators to forcibly deactivate active alarms.

Performance

• #15536 Disabled the node.global_gc_interval configuration by default to improve overall performance stability, as it caused CPU fluctuations and higher message latency while providing little benefit over Erlang’s built-in garbage collector.
• #15539 Optimized Erlang VM parameters to improve performance and stability:
• Increased buffer size for distributed channels to 32 MB (+zdbbl 32768) to prevent busy_dist_port alarms during intensive Mnesia operations.
• Disabled scheduler busy-waiting (+sbwt none +sbwtdcpu none +sbwtdio none) to lower CPU usage reported by the operating system.
• Set scheduler binding type to db (+stbt db) to reduce message latency.

Bug Fixes

Deployment

• #15580 Added a new emqxLicenseSecretRef variable to the EMQX Enterprise Helm chart. This allows users to specify a Kubernetes Secret containing the EMQX license key, so the license is applied automatically.

This replaces the non-functional emqxLicenseSecretName variable, which created and mounted a secret file but did not pass the license to EMQX.

Clustering

• #14778 Fixed an issue where a node could not join a running cluster if that node had broken symlinks in its data/certs or data/authz directories.

Security

• #15581 Upgraded Erlang/OTP version from 26.2.5.2 to 26.2.5.14. This upgrade includes two TLS-related fixes from OTP that affect EMQX:
• Fixed a crash in TLS connections caused by a race condition during certificate renewal.
• Added support for RSA certificates signed with RSASSA-PSS parameters. Previously, such certificates could cause TLS handshakes to fail with a bad_certificate / invalid_signature error.

Observability

• #15639 Fixed an issue where the packets.subscribe.auth_error metric was not incremented when subscription authentication failed.

Gateway

• #15679 Fixed incorrect global chain names for the ExProto gateways. Built-in authentication data for these gateways was previously grouped under unknown:global, causing conflicts between gateways.
• #15699 Fixed an issue where built-in authentication data for gateways (e.g., CoAP) was incorrectly removed when a node was stopped or restarted.

ExHook

• #15683 Fixed ExHook TLS options so that gRPC clients can correctly verify the server hostname during the TLS handshake.