Top Winter ’26 Release Updates: Key Changes You Can’t Miss

Every Salesforce release comes with its own batch of changes. Some are exciting new features, some are behind-the-scenes updates that keep the platform secure and reliable. The Winter ’26 release is no different.

The tricky part? Release notes are usually long, packed with technical language, and can leave you wondering what you actually need to do. So here’s a breakdown of what’s important in Winter ’26.

Why Release Updates Matter

Before diving in, let’s clear one thing up: release updates aren’t just “new features.” They’re changes that Salesforce is enforcing to improve performance, security, and stability. Some updates need your action — because they might break existing customizations if you ignore them.

Think of release updates as mandatory system upgrades. You can test them, prepare for them, but eventually, Salesforce will flip the switch.

What’s Enforced Right Now (Winter ’26)

1. Verified Email Addresses for Old Users
If your org has user accounts created before November 1, 2016, they now need verified email addresses. No verification, no sending emails from Salesforce.
What to do: Audit old user accounts. Make sure their email addresses are verified.

2. Role Sharing Group Update
Salesforce is tightening how role-based sharing works when Digital Experiences are enabled. The group name “Roles and Subordinates” has been renamed to “Roles and Internal Subordinates.”
What to do: If you have code or customizations referencing the old name, update them. Salesforce will auto-convert references for now, but that’s temporary.

3. Permission Checks on Apex Classes
Flows that rely on Apex actions with built-in classes now enforce permission requirements. Previously, flows could fail silently because they used the wrong context.
What to do: Review Apex actions in flows and check if users have the right permissions.

4. Flow Access Restrictions
The days of everyone being able to run flows are over. Salesforce is enforcing proper access: users need the correct profile or permission set to run flows.
What to do: Assign permissions intentionally. This makes flows more secure, but you may need to adjust user access.

5. API Traffic Must Use My Domain URLs
Any API calls must go through your org’s My Domain login URL. Using incorrect instance URLs is no longer supported.
What to do: Update integrations and API connections to use your My Domain.

Sandboxes: enforcement started in Winter ’26.
Production: enforcement in Spring ’26.

6. Service Assistant License Changes
Starting this release, the Service Assistant features are moving to the Service Planner User license. They’re no longer included in the standard Salesforce license.
What to do: Assign the new permission set license if your users need Service Assistant.

Spotlight: Legacy Host Names Are Retired

This one’s important if you’re still relying on old Salesforce URLs. For years, Salesforce has redirected outdated “legacy host names” to your My Domain. In Winter ’26, those redirects start disappearing.

In Winter ’26, redirects are automatically disabled in production and demo orgs unless you opt out.
In Spring ’26, they’re gone for good. No turning them back on.

Why it matters: Any hardcoded links, bookmarks, or integrations pointing to old host names will break.

What to do now:

Audit your URLs — make sure everything uses your My Domain login URL.
Need more time? Go to Setup → My Domain → Redirections and keep legacy redirects during Winter ’26.
Don’t wait for Spring ’26 — by then, redirects are enforced off and can’t be reenabled.

This is a “quiet” update, but if you skip it, you’ll have frustrated users hitting dead links.

Automatically Enabled in Winter ’26

Some updates are turned on but not enforced yet. You can still disable them temporarily.

Legacy Host Names Retired (see spotlight above).

Coming in Spring ’26

These changes are around the corner:

Tax/Product Adjustments: More accurate tax calculations in orders.
Accessibility Updates (Zoom >200%): Page headers and modal windows adapt better for accessibility.
XSS Protection in Visualforce: Salesforce now escapes <apex:inputField> labels to prevent security risks.
Multiple SAML Framework Only: Old single-configuration SAML setups will stop working.

Coming in Summer ’26

More Accessibility Improvements: Enhancements for date pickers, popovers, record headers, and bottom bars.
Einstein Activity Capture Migration: Emails will now sync as standard Salesforce Activities. This means easier reporting and visibility.

Coming in Summer ’27

SOAP API login() Retirement: Versions 31.0–64.0 of the SOAP API login() call will be retired.

No Timeline Yet (But Don’t Ignore)

ICU Locale Formats: Salesforce is pushing everyone to adopt ICU formats for dates, times, numbers, and currencies. If you haven’t switched already, plan for it. It ensures consistency and global compatibility.

What This Means for You

Here’s the bottom line:

Winter ’26 immediate actions: verify old emails, update role sharing references, check Apex flows, fix flow permissions, update API URLs, handle Service Assistant licensing, and replace legacy host names.
Next 6–12 months: prepare for accessibility changes, Visualforce XSS protections, SAML migration, and Einstein Activity Capture updates.
Long-term: phase out old SOAP API versions, and adopt ICU locale formats if you haven’t already.

If you stay on top of these changes now, you’ll avoid surprises when Salesforce enforces them later.

Final Thoughts

Salesforce updates can feel overwhelming, but most of them boil down to two things: better security and better stability.

Take the time to test in a sandbox, document what changes affect your org, and communicate with your teams. A little preparation now saves a lot of headaches when enforcement hits.