This Change Log reflects precautionary UX changes made by Instructure in response to the May 2026 Security Incident. Updates will be added as they are made available.
Canvas LMS
Admin Settings
Announcement Date: 2026-05-09
Beta and Production Availability: 2026-05-03
- A setting designates an Elevated Auth Provider for Instructure employees. When enabled, Instructure’s actions require the user to be authenticated through the selected provider. Requests from users authenticated through any other provider will fail.
This change impacts Instructure employees. The setting is configured by Instructure engineers and is not currently available to Canvas administrators.
Announcement Date: 2026-05-09
Beta and Production Availability: 2026-05-06
- When the Elevated Auth Provider is enabled on an account, a user must be authenticated via that provider to change settings on the Theme Editor admin settings page.
- When the Elevated Auth Provider is enabled on an account, a user must be authenticated via that provider to change settings on the Content Security Policy (CSP) admin settings page.
These changes impact Instructure employees. The settings are configured by Instructure engineers and is not currently available to Canvas administrators.
Announcement Date: 2026-05-10
Beta Availability: 2026-05-09
Production Availability: 2026-05-10
- API key secrets are no longer visible in the UI after creation. Admins can regenerate keys at any time without deleting and recreating the API.
API
Announcement Date: 2026-05-08
Beta and Production Availability: 2026-05-06
- The GraphQL Enrollments API only returns Enrollment IDs for the invoking user. Previously a user with permission to view enrollments in a course could see all Enrollment IDs in the course.
Announcement Date: 2026-05-11
Beta and Production Availability: 2026-05-11
- Integrations using the
urn:ietf:wg:oauth:2.0:oob redirect URI in the OAuth flow must now explicitly add it to the list of allowed redirect URIs on their developer key. This has already been done for the most common shared integrations, but schools should check whether any of their own integrations rely on it.- Action required: Add the referenced URI to any relevant developer keys
/accounts/self/developer_keys. Usage of this redirect URI is also being actively monitored, and the URI will be proactively added to customer developer keys when use is detected.
Authentication
Announcement Date: 2026-05-12
Beta and Production Availability: 2026-05-12
- The native Canvas authentication (username + password) supports resetting passwords for individual users in the root account’s People page. Previously, admins would navigate to the individual user’s profile page and click the Reset Password button. The Authentication page also has a Reset All Passwords button which resets the user password for all users using that authentication method. Bulk resets are processed in the background, meaning it may take several minutes for all reset notifications to be sent to users but you may navigate away from the page after the process has started. When a user logins in after the reset, they will be prompted to change their password.
Announcement Date: 2026-05-13
Beta and Production Availability: 2026-05-13
- For customers using native Canvas authentication (username + password), admins can enable multi-factor authentication from the Account Settings page. Once the Multi-Factor Authentication setting is enabled, MFA options will display on the Authentication page. The Multi-Factor Authentication setting provides the following options:
Developer Keys
Announcement Date: 2026-05-09
Beta and Production Availability: 2026-05-09
- Developer key management is now gated on elevated auth for Instructure employees. Instructure employees managing developer keys in customer accounts must authenticate through the account’s designated Elevated Auth Provider.
This change impacts Instructure employees. The setting is configured by Instructure engineers and is not currently available to Canvas administrators.
LTI OAuth
Announcement Date: 2026-05-09
Beta and Production Availability: 2026-05-08
- OAuth workflows can only be completed through user navigation. Some institutions previously used custom JavaScript to automate user permission acceptance during LTI launch. Permissions now must be approved by the user navigating the page directly.
Rich Content Editor
Announcement Date: 2026-05-08
Production Availability: 2026-04-30
- The list of permitted attributes for
object and embed elements in the RCE has been updated. If a user edits a page that includes a non-standard embed, any unsupported attributes will be removed when the page is saved.
Announcement Date: 2026-05-08
Beta and Production Availability: 2026-05-08
- The raw HTML input and pretty HTML input methods have been removed from the RCE. The default WYSIWYG interface is still available. Known Issue: HTML editor button missing from RCE.
Announcement Date: 2026-05-08
Beta and Production Availability: 2026-05-08
- The raw HTML input and pretty HTML input methods have been added back to the RCE. The default WYSIWYG interface is still available.
User Self-Registration
Announcement Date: 2026-05-09
Beta and Production Availability: 2026-05-08
- Self-registration is now disabled by default across all customer instances. The setting can be re-enabled.
Legacy Impact
Announcement Date: 2026-05-08
Production Availability: 2026-05-07
- Custom scripting for messages, walkthroughs, and support articles via the 'Edit Custom Script' editor have been removed. This change was already planned and customers were notified that it was coming in April 2025.
Announcement Date: 2026-05-09
Production Availability: 2026-05-08
- Iframes, scripts, and embedded videos within new articles, messages, and walkthroughs are no longer available. Content that has already been published will remain unaffected.
