v2.0.0

BREAKING CHANGES:

• sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
• api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
• core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.
• core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
• core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.
• core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.
• core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
• core: reject URL-encoded paths that do not specify a canonical path
• http: Added configurable max_token_header_size listener option (default 8 KB) to bound the size of authentication token headers (X-Vault-Token and Authorization: Bearer), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level MaxHeaderBytes backstop is also now set on the HTTP server. Set max_token_header_size = -1 to disable the limit.
• sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
• sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• ui: disable scarf analytics for ui builds
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394
• Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.

CHANGES:

• secrets/ldap (enterprise): Static roles will be migrated from a plugin-managed queue to the Vault Enterprise Rotation Manager system. Static role migration progress can be checked and managed through a new static-migration endpoint. See the LDAP documentation for more details on this process.
• audit: A new top-level key called supplemental_audit_data can now appear within audit entries of type "response" within the request and response data structures. These new fields can contain data that further describe the request/response data and are mainly used for non-JSON based requests and responses to help auditing. The audit-non-hmac-request-keys and audit-non-hmac-response-keys apply to keys within supplemental_audit_data to remove the HMAC of the field values if so desired.
• auth/alicloud: Update plugin to v0.23.1
• auth/azure: Update plugin to v0.24.0
• auth/cf: Update plugin to v0.23.0
• auth/gcp: Update plugin to v0.23.1
• auth/jwt: Update plugin to v0.26.1
• auth/kerberos: Update plugin to v0.17.1
• auth/kubernetes: Update plugin to v0.24.1
• auth/oci: Update plugin to v0.21.1
• auth/saml: Update plugin to v0.8.1
• core/managed-keys (enterprise): The response to API endpoint GET sys/managed-keys/:type/:name now returns an array of string values for key usages, rather than an array of integer values. The strings used are 'encrypt' (1), 'decrypt' (2), 'sign' (3), 'verify' (4), 'wrap' (5), 'unwrap' (6), 'generate_random' (7), and 'mac' (8).
• core: Bump Go version to 1.26.2
• core: Vault now rejects paths that are not canonical, such as paths containing double slashes (path//to/resource)
• core: bump github.com/hashicorp/cap to v0.12.0
• core: secondary DR requests can now be authenticated using a root token generated on the primary.
• core: sys/generate-root and sys/replication/dr/secondary/generate-operation-token endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "generate-root" or "generate-operation-token" respectively.
• core: sys/rekey endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "rekey".
• database/couchbase: Update plugin to v0.16.1
• database/elasticsearch: Update plugin to v0.20.1
• database/mongodbatlas: Update plugin to v0.17.1
• database/redis-elasticache: Update plugin to v0.9.1
• database/redis: Update plugin to v0.8.1
• database/snowflake: Update plugin to v0.16.0
• license utilization reporting (enterprise): Manual reporting bundles generated by vault operator utilization have a changed format. Notably they contain an array of snapshot_records instead of snapshots. The decoded_snapshot field in each record contains the human-readable data that was previously in the snapshots array.
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/ad: Update plugin to v0.22.1
• secrets/alicloud: Update plugin to v0.22.1
• secrets/azure: Update azure enterprise secrets plugin to include static roles.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• secrets/azure: Update plugin to v0.26.1+ent
• secrets/gcp: Update plugin to v0.24.0
• secrets/gcpkms: Update plugin to v0.23.0
• secrets/keymgmt: Update plugin to v0.19.0+ent
• secrets/kmip: Update plugin to v0.20.0
• secrets/kubernetes: Update plugin to v0.13.1
• secrets/kv: Update plugin to v0.26.2
• secrets/mongodbatlas: Update plugin to v0.17.1
• secrets/openldap: Update plugin to v0.18.0
• secrets/pki: sign-verbatim endpoints no longer ignore basic constraints extension in CSRs, using them in generated certificates if isCA=false or returning an error if isCA=true
• secrets/terraform: Update plugin to v0.14.1
• secure-plugin-api: Update to v0.2.0
• storage: Upgrade aerospike client library to v8.
• ui/secrets: Secrets engines url paths renamed from '/secrets' to '/secrets-engines'
• ui: Remove ability to bulk delete secrets engines from the list view.

FEATURES:

• PKI External CA (Enterprise): A new plugin that provides the ability to acquire PKI certificates from Public CA providers through the ACME protocol
• IBM PAO License Integration: Added IBM PAO license support, allowing usage of Vault Enterprise with an IBM PAO license key. A new configuration stanza license_entitlement is required in the Vault config to use an IBM license. For more details, see the License documentation.
• KMIP Bring Your Own CA: Add new API to manage multiple CAs for client verification and make it possible to import external CAs.
• LDAP Secrets Engine Enterprise Plugin: Add the new LDAP Secrets Engine Enterprise plugin. This enterprise version adds support for self-managed static roles and Rotation Manager support for automatic...

v2.0.0-rc1

This is an automated pull request to build all artifacts for a releas…

v1.21.4

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

v1.21.2

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

• core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
• rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
• sdk/rotation: Prevent rotation attempts on read-only storage.
• secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
• secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing.

BUG FIXES:

• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
• rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount.
• secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
• secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
• secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
• secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
• ui/pki: Fix handling of values that contain commas in list fields like crl_distribution_points.

v1.21.1

1.21.1

November 20, 2025

SECURITY:

• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• ui: disable scarf analytics for ui builds

CHANGES:

• auth/kubernetes: Update plugin to v0.23.1
• auth/saml: Update plugin to v0.7.0
• auth/saml: Update plugin to v0.7.1, which adds the environment variable VAULT_SAML_DENY_INTERNAL_URLS to allow prevention of idp_metadata_url, idp_sso_url, or acs_urls fields from containing URLs that resolve to internal IP addresses
• core: Bump Go version to 1.25.4
• secrets/azure: Update plugin to v0.25.0+ent
• secrets/pki: sign-verbatim endpoints no longer ignore basic constraints extension in CSRs, using them in generated certificates if isCA=false or returning an error if isCA=true

IMPROVEMENTS:

• Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.
• api: Added sudo-permissioned sys/reporting/scan endpoint which will output a set of files containing information about Vault state to the location specified by the reporting_scan_directory config item.
• auth/ldap: Require non-empty passwords on login command to prevent unauthenticated access to Vault.
• core/metrics: Reading and listing from a snapshot are now tracked via the vault.route.read-snapshot.{mount_point} and vault.route.list-snapshot.{mount_point} metrics.
• license utilization reporting (enterprise): Add metrics for the number of issued PKI certificates.
• policies: add warning about list comparison when using allowed_parameters or denied_parameters
• secret-sync: add parallelization support to sync and unsync operations for secret-key granularity associations
• secrets/pki: Include the certificate's AuthorityKeyID in response fields for API endpoints that issue, sign, or fetch certs.
• sys (enterprise): Add sys/billing/certificates API endpoint to retrieve the number of issued PKI certificates.
• ui/activity (enterprise): Add clarifying text to explain the "Initial Usage" column will only have timestamps for clients initially used after upgrading to version 1.21
• ui/activity (enterprise): Allow manual querying of client usage if there is a problem retrieving the license start time.
• ui/activity (enterprise): Reduce requests to the activity export API by only fetching new data when the dashboard initially loads or is manually refreshed.
• ui/activity (enterprise): Support filtering months dropdown by ISO timestamp or display value.
• ui/activity: Display total instead of new monthly clients for HCP managed clusters
• ui/pki: Adds support to configure server_flag, client_flag, code_signing_flag, and email_protection_flag parameters for creating/updating a role.

BUG FIXES:

• activity (enterprise): sys/internal/counters/activity outputs the correct mount type when called from a non root namespace
• auth/approle (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/aws (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/cert (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/github (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/ldap (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/okta (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/radius (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/scep (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/userpass (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth: fixed panic when supplying integer as a lease_id in renewal.
• core/rotation: avoid shifting timezones by ignoring cron.SpecSchedule
• core: interpret all new rotation manager rotation_schedules as UTC to avoid inadvertent use of tz-local
• secrets/azure: Ensure proper installation of the Azure enterprise secrets plugin.
• secrets/pki: Return error when issuing/signing certs whose NotAfter is before NotBefore or whose validity period isn't contained by the CA's.
• ui (enterprise): Fix KV v2 not displaying secrets in namespaces.
• ui (enterprise): Fixes login form so input renders correctly when token is a preferred login method for a namespace.
• ui/pki: Fixes certificate parsing of the key_usage extension so details accurately reflect certificate values.
• ui/pki: Fixes creating and updating a role so basic_constraints_valid_for_non_ca is correctly set.
• ui: Fix KV v2 metadata list request failing for policies without a trailing slash in the path.
• ui: Resolved a regression that prevented users with create and update permissions on KV v1 secrets from opening the edit view. The UI now correctly recognizes these capabilities and allows editing without requiring full read access.
• ui: Update LDAP accounts checked-in table to display hierarchical LDAP libraries
• ui: Update LDAP library count to reflect the total number of nodes instead of number of directories

v1.21.0

[VAULT-40260] This is an automated pull request to build all artifact…

v1.21.0-rc1

[VAULT-40007] This is an automated pull request to build all artifact…

v1.20.4

[VAULT-39673] This is an automated pull request to build all artifact…

v1.20.3

[VAULT-39259] This is an automated pull request to build all artifact…