About 26R1.2

This topic provides information about the Veeva CRM 26R1.2 minor release, including important dates and release announcements.

All dates listed are subject to change.

Dates to Remember

  • May 14, 2026 – Maintenance Notes available
  • May 21, 2026 – Sandbox Release
  • May 28, 2026 – Production Release

Release Notes

The 26R1.2 release does not include new features. See the Maintenance Notes for a list of fixes available in this release.

Announcements

Multi-Factor Authentication (MFA) – Now Mandatory for All Users, Including Admins, in Sandbox & Production Orgs

Starting in June and July of 2026, Multi-Factor Authentication (MFA) will be required for all users in Sandbox & Production orgs, including admins. Ensure MFA is fully configured for your users ahead of Salesforce's MFA deadlines. While phishing-resistant MFA is not required for standard (non-privileged) users, it is strongly recommended. For details, see Salesforce Security Updates and MFA Requirements.

Salesforce Security Updates – Action May Be Required

Salesforce is implementing several security updates throughout June and July 2026. Action may be required for the following:

  • Authentication for Reports - Salesforce is implementing identity verification for high-sensitivity report actions. Ensure each of your users has at least one of the following: a supported MFA verification method registered with Salesforce, a current email address, or a mobile phone number registered to their login.
  • Preventing Connections from Anonymizing VPNs, Proxies and High-Risk IP Addresses - Salesforce is expanding its automated security protections to detect and block connections originating from anonymizing VPNs, proxies, and other high-risk IP addresses. Customers should review any integrations, middleware, VPN configurations, proxy services, or automated processes that connect to Salesforce APIs or Connected Apps to ensure they are not routing traffic through anonymizing or high-risk network services.
  • Transaction Security Policy Enhancements - For Shield or Events Monitoring customers only: if your org does not have a TSP restricting large data exports, Salesforce will automatically enable a default policy in June 2026.

For details, see Salesforce Security Updates and MFA Requirements.

Changes to Salesforce Security Control Requirements

Salesforce plans to require the implementation of additional security controls and settings. Take the following actions to ensure your settings meet Salesforce’s security requirements:

  • Require Multifactor Authentication (MFA): MFA is mandatory for all Production Orgs as of June 2026. Customers must ensure that MFA is fully set up before June. While in the past Veeva was able to request a 90-day rollback for customers, Salesforce will no longer approve these requests.

    Despite communications suggesting otherwise, Salesforce has confirmed that MFA will not be enforced in Sandbox Orgs, though it remains strongly recommended.

  • Ensure all System Administrator users adopt phishing-resistant MFA for login: While not mandatory, all System Administrator users are strongly encouraged to adopt phishing-resistant MFA for login. This is considered a security best practice to protect your most privileged accounts.
  • Restrict login IP addresses in profiles: Beginning with the Winter '26 release, Salesforce will enforce limits on login IP ranges for specific profiles. If your organization uses profile-level IP restrictions, we recommend reviewing your current configurations now to ensure they will remain within the new limits.

The following items are standard security best practices that all customers should continue to follow:

  • Enable a Transaction Security Policy (TSP) that restricts large data exports
  • Avoid connecting from anonymizing proxies or high-risk IP addresses

For more details on these updates, refer to Salesforce’s New Security Control Requirements page. This page is updated regularly — we encourage you to monitor the Change Log table there for the latest information.

If you have any questions or concerns, please reach out to Veeva Support.

Changes to Public Key Infrastructure in Salesforce

Salesforce has announced upcoming mandatory changes to Public Key Infrastructure. Veeva standard integrations with Salesforce are not impacted. However, Veeva recommends customers review any custom-built integrations within their environments to ensure compliance with these upcoming changes.

Supporting iPadOS and iOS 26

Veeva CRM supports the iPadOS and iOS 26 releases on iPad and iPhone devices. For iPadOS 26, Veeva CRM must be used in full screen and will not support windowed mode. See CRM for iOS for more information about supported iPad and iPhone devices.

End of Support

See End of Support for a list of deprecated features, devices, and OS versions.