Enhancements​

• Loading Indicator During Item Simulate
  The Variant Configuration UI now displays a loading overlay when an Item Simulate request is in progress, preventing users from making changes while the simulation is processing.

Bug Fixes​

• Item Configuration Errors
  Fixed an issue that caused errors when loading or interacting with item configurations in the Variant Configuration UI.

• Duplicate Scroll Bars in VC-UI
  Fixed an issue where two independent scroll bars were appearing simultaneously within the Variant Configuration UI. Scrolling behavior is now consistent and consolidated.

• Mobile Menu Not Displaying Correctly
  Fixed an issue where the VC-UI navigation menu was not rendering properly on smaller screen widths. The menu now displays correctly across mobile-sized viewports.

• VC Logging Inaccuracies
  Corrected an issue with internal activity logging in the Variant Configuration UI to ensure accurate troubleshooting and session tracking information is captured.

• VC SAP Session Expiration Handling
  Fixed an issue where an expired SAP session during an active VC session was not being detected and recovered from correctly. The application now handles session expiration gracefully without requiring a manual page reload.

• VCInitialize Failing on Stale Session Cookie
  Fixed an issue where a stale SAP session cookie from a previous VC session caused VCInitialize to return an HTTP 400 error on first load, resulting in a silent failure. The application now correctly detects and recovers from invalid sessions during initialization.

Get it here: v9.5.0

On April 29, 2026, Aikido Security disclosed an active supply chain attack targeting SAP developers. Four SAP npm packages were compromised with credential-stealing malware — specifically @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt.

enosix applications and systems are not affected.​

enosix products are built on Salesforce, TypeScript, React, and LWC. We do not use SAP CAP or MTA Build tooling anywhere in our codebase. We confirmed this with a full scan of all repositories in our GitHub organization — none of the affected packages appear in any form, and no indicators of compromise were found in our code, CI pipelines, or internal npm registry.

If you have questions or concerns, please reach out to the enosix team.

For the full technical write-up of this attack, see the Aikido Security advisory.

[Feature]: This release introduces strict query parameter validation in the API Proxy to prevent query parameter injection into downstream SAP requests. The change addresses an issue where encoded characters (e.g., %26 for &) could be used to pass additional parameters.

Allows only below-listed query parameters, and any additional parameters passed on request are dropped

• sap-client: Exactly 3 digits
• sap-sessioncmd: Must be cancel
• sap-language: Exactly 2 characters
• link-function: Must be auth-payload
• saml2: Must be disabled
• tabs: Letters only
• key: String or the literal $*$
• expirationSeconds: Positive integer 1..2147483647
• cid: Alphanumeric less than or equal to 10 characters

🚀 Introducing arnold™ — Now Available for a Pilot​

We’re excited to announce the first public release of arnold™, a powerful new way to access and interact with SAP using AI.

You can now pilot arnold™ through a limited trial in your own environment and experience a completely new way of working with SAP data using AI.

👉 Ready to get started? Reach out to enosix to enable your pilot and see arnold™ in action: https://go.enosix.com/support

🤖 What is arnold™?​

arnold™ is an MCP Server (Model Context Protocol) that connects AI agents to SAP, allowing users to interact with SAP data using simple, natural language. Instead of navigating complex SAP screens or using transaction codes, users can simply ask questions—and take action—directly from chat.

With arnold™, you can:

• 🔍 Retrieve real-time SAP data
• ✏️ Update existing records
• ➕ Create new transactions

No SAP GUI. No transaction codes. No delays.

🧠 How It Works (Simple View)​

• Users interact with Agent through AI platforms like Microsoft 365 (Copilot)
• AI agents translate the request to tools
• arnold™ provides the right tools to interact with SAP
• enosix SAP Platform responds in real time
• Agent presents data to users in easily readable format

☁️ Built for Enterprise — Secure by Design​

arnold™ is:

• Hosted in Microsoft Azure
• Secured through Microsoft Entra Directory / M365
• Supports Single Sign-On (SSO) and SAP Principal Propagation

Your SAP data remains secure while becoming more accessible than ever.

Enhancements​

• Override CID on Link API requests. Support has been added to specify a Customizing ID on proxied API requests. Specifying a cid query string parameter will override the x-enosix-cid extension of the Open API Specification for the endpoint.

Bug Fixes​

• Reading CID from Open API Specification. A bug causing API endpoints to ignore the configured x-enosix-cid extension in the Open API Specification.

Enhancements​

Ability to pass CID as Query Param.

Added support for passing cid as a query parameter to the SAP backend. The following validation rules have been added for the cid parameter:

• Alphanumeric characters only (a-z, A-Z, 0-9)
• Length: 1-10 characters
• No special characters or spaces allowed

Bug Fixes​

• Multiselect checkbox issue for Variant Configuration
  Fixed an issue where only one selection was saved when multiple configuration options were selected. Multiple selections now save correctly.

• Default values from SAP not populating
  Fixed an issue where default values sent from SAP were not being applied. Default values now populate correctly as expected.

Get it here: v8.7.1

Enhancements​

• Swagger UI Configuration Control
  The API Proxy configuration now supports a SwaggerEnabled property that allows you to control whether the Swagger UI and OpenAPI Specification endpoints are exposed for each API Proxy. Setting SwaggerEnabled: true enables these documentation endpoints, which is useful for development and testing environments. By default, Swagger endpoints are disabled. See the Swagger UI for full details.

Feature​

• PDF generation for Sales Documents now provides a clear, localizable message when the PDF is not yet ready, improving user experience and supporting translation.

• [Bug]: Resolved an issue where a sync fails to execute due to the integration user missing the permission to read the DataStorageMB resource limit.