{"ecosystem":"go","package":"github.com/hashicorp/vault","from_version":null,"to_version":null,"changes":[{"from_version":"1.21.5","to_version":"2.0.0","change_type":"api","description":"api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"api","description":"api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"behavior","description":"http: Added configurable `max_token_header_size` listener option (default 8 KB) to bound the size of authentication token headers (`X-Vault-Token` and `Authorization: Bearer`), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level `MaxHeaderBytes` backstop is also now set on the HTTP server. Set `max_token_header_size = -1` to disable the limit.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"auth/alicloud: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-alicloud/releases/tag/v0.23.1)","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"ui: disable scarf analytics for ui builds","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"secrets/ldap (enterprise): Static roles will be migrated from a plugin-managed queue to the Vault Enterprise Rotation Manager system. Static role migration progress can be checked and managed through a new static-migration endpoint. See the [LDAP documentation](https://developer.hashicorp.com/vault/docs/secrets/ldap#static-role-migration-to-rotation-manager) for more details on this process.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"core: reject URL-encoded paths that do not specify a canonical path","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"breaking","description":"sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"removed","description":"audit: A new top-level key called `supplemental_audit_data` can now appear within audit entries of type \"response\" within the request and response data structures. These new fields can contain data that further describe the request/response data and are mainly used for non-JSON based requests and responses to help auditing. The `audit-non-hmac-request-keys` and `audit-non-hmac-response-keys` apply to keys within `supplemental_audit_data` to remove the HMAC of the field values if so desired.","migration_hint":null},{"from_version":"1.21.5","to_version":"2.0.0","change_type":"removed","description":"core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if \"Authorization\" is explicitly included in the list of passthrough request headers.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"api","description":"api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"api","description":"transit (enterprise): Add context parameter to datakeys and derived-keys endpoint, to allow derived key encryption of the DEKs.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"api","description":"api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"behavior","description":"dockerfile: container will now run as vault user by default","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: reject URL-encoded paths that do not specify a canonical path","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Bump Go version to 1.25.9","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"config/listener: logs warnings on invalid x-forwarded-for configurations.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"events (enterprise): Forward event notifications from primary to secondary clusters","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"secrets/transit: Improve import errors for non-PKCS#8 keys to clearly require PKCS#8.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"breaking","description":"core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.","migration_hint":null},{"from_version":"1.21.4","to_version":"1.21.5","change_type":"removed","description":"core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if \"Authorization\" is explicitly included in the list of passthrough request headers.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"api","description":"api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"api","description":"api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"behavior","description":"dockerfile: container will now run as vault user by default","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"identity: Repair the integrity of duplicate and/or dangling entity aliases.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: reject URL-encoded paths that do not specify a canonical path","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Bump Go version to 1.25.9","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"breaking","description":"config/listener: logs warnings on invalid x-forwarded-for configurations.","migration_hint":null},{"from_version":"1.20.9","to_version":"1.20.10","change_type":"removed","description":"core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if \"Authorization\" is explicitly included in the list of passthrough request headers.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"api","description":"openapi: Add OpenAPI support for secret recovery operations. [[GH-31331](https://github.com/hashicorp/vault/pull/31331)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"api","description":"auth/scep (enterprise): enforce the token_bound_cidrs role parameter within SCEP roles","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"api","description":"**Post-Quantum Cryptography Support**: Experimental support for PQC signatures with SLH-DSA in Transit.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"api","description":"ui: Fix capability checks for api resources with underscores to properly hide actions and dropdown items a user cannot perform [[GH-31271](https://github.com/hashicorp/vault/pull/31271)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"activity (enterprise): Fix `development_cluster` setting being overwritten on performance secondaries upon cluster reload. [[GH-31223](https://github.com/hashicorp/vault/pull/31223)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"Plugin Downloads (enterprise): add CLI `-download` option for plugin register (beta)","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"secrets/pki (enterprise): enable separately-configured logging for SCEP-enrollment.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"secrets/pki: Add the digest OID when logging SCEP digest mismatch errors. [[GH-31232](https://github.com/hashicorp/vault/pull/31232)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"auto-reporting (enterprise): Clarify debug logs to accurately reflect when automated license utilization reporting is enabled or disabled, especially since manual reporting is always initialized.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"product usage reporting (enterprise): Clarify debug logs to accurately reflect when anonymous product usage reporting is enabled or disabled, especially since manual reporting is always initialized.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"replication (enterprise): Fix bug with mount invalidations consuming excessive memory.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"secrets/gcp: Update to vault-plugin-secrets-gcp@v0.22.1 to address more eventual consistency issues [[GH-31350](https://github.com/hashicorp/vault/pull/31350)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"ui: Fix kv v2 overview page from erroring if a user does not have access to the /subkeys endpoint and the policy check fails. [[GH-31136](https://github.com/hashicorp/vault/pull/31136)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"breaking","description":"ui: Fix mutation of unwrapped data when keys contain underscores [[GH-31287](https://github.com/hashicorp/vault/pull/31287)]","migration_hint":null},{"from_version":"1.20.0","to_version":"1.20.1","change_type":"deprecated","description":"plugins: Clarify usage of sha256, command, and version for plugin registration of binary or artifact with API and CLI. Introduce new RegisterPluginDetailed and RegisterPluginWtihContextDetailed functions to API client to propagate response along with error, and mark RegisterPlugin and RegisterPluginWithContext as deprecated. [[GH-30811](https://github.com/hashicorp/vault/pull/30811)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"replication (enterprise): Fix bug with mount invalidations consuming excessive memory.","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"product usage reporting (enterprise): Clarify debug logs to accurately reflect when anonymous product usage reporting is enabled or disabled, especially since manual reporting is always initialized.","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"auto-reporting (enterprise): Clarify debug logs to accurately reflect when automated license utilization reporting is enabled or disabled, especially since manual reporting is always initialized.","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"secrets/gcp: Update to vault-plugin-secrets-gcp@v0.21.4 to address more eventual consistency issues","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]","migration_hint":null},{"from_version":"1.19.6","to_version":"1.19.7","change_type":"breaking","description":"secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"api","description":"api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"api","description":"api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"behavior","description":"dockerfile: container will now run as vault user by default","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"behavior","description":"ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"identity: Repair the integrity of duplicate and/or dangling entity aliases.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"config/listener: logs warnings on invalid x-forwarded-for configurations.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: reject URL-encoded paths that do not specify a canonical path","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Bump Go version to 1.25.9","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"breaking","description":"events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.","migration_hint":null},{"from_version":"1.19.15","to_version":"1.19.16","change_type":"removed","description":"core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if \"Authorization\" is explicitly included in the list of passthrough request headers.","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"replication (enterprise): Fix bug with mount invalidations consuming excessive memory.","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]","migration_hint":null},{"from_version":"1.18.11","to_version":"1.18.12","change_type":"breaking","description":"core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"api","description":"api: Upgrade from github.com/go-jose/go-jose/v3 v3.0.3 to github.com/go-jose/go-jose/v4 v4.0.1. [[GH-26527](https://github.com/hashicorp/vault/pull/26527)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/azure: Update plugin to v0.18.0 [[GH-27146](https://github.com/hashicorp/vault/pull/27146)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/gcp: Update plugin to v0.18.0 [[GH-27140](https://github.com/hashicorp/vault/pull/27140)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/couchbase: Update plugin to v0.11.0 [[GH-27145](https://github.com/hashicorp/vault/pull/27145)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/elasticsearch: Update plugin to v0.15.0 [[GH-27136](https://github.com/hashicorp/vault/pull/27136)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/mongodbatlas: Update plugin to v0.12.0 [[GH-27143](https://github.com/hashicorp/vault/pull/27143)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/redis-elasticache: Update plugin to v0.4.0 [[GH-27139](https://github.com/hashicorp/vault/pull/27139)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/redis: Update plugin to v0.3.0 [[GH-27117](https://github.com/hashicorp/vault/pull/27117)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"database/snowflake: Update plugin to v0.11.0 [[GH-27132](https://github.com/hashicorp/vault/pull/27132)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"sdk: String templates now have a maximum size of 100,000 characters. [[GH-26110](https://github.com/hashicorp/vault/pull/26110)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"secrets/ad: Update plugin to v0.18.0 [[GH-27172](https://github.com/hashicorp/vault/pull/27172)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"secrets/alicloud: Update plugin to v0.17.0 [[GH-27134](https://github.com/hashicorp/vault/pull/27134)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/cf: Update plugin to v0.17.0 [[GH-27161](https://github.com/hashicorp/vault/pull/27161)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/alicloud: Update plugin to v0.18.0 [[GH-27133](https://github.com/hashicorp/vault/pull/27133)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/jwt: Update plugin to v0.20.3 that resolves a security issue with validing JWTs [[GH-26890](https://github.com/hashicorp/vault/pull/26890), [HCSEC-2024-11](https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"audit: breaking change - Vault now allows audit logs to contain 'correlation-id' and 'x-correlation-id' headers when they","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/jwt: Update plugin to v0.20.2 [[GH-26291](https://github.com/hashicorp/vault/pull/26291)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/kerberos: Update plugin to v0.12.0 [[GH-27177](https://github.com/hashicorp/vault/pull/27177)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/kubernetes: Update plugin to v0.19.0 [[GH-27186](https://github.com/hashicorp/vault/pull/27186)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"auth/oci: Update plugin to v0.16.0 [[GH-27142](https://github.com/hashicorp/vault/pull/27142)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"core (enterprise): Seal High Availability (HA) must be enabled by `enable_multiseal` in configuration.","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"core/identity: improve performance for secondary nodes receiving identity related updates through replication [[GH-27184](https://github.com/hashicorp/vault/pull/27184)]","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"core: Bump Go version to 1.22.4","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"breaking","description":"core: return an additional \"invalid token\" error message in 403 response when the provided request token is expired,","migration_hint":null},{"from_version":"1.16.31","to_version":"1.17.0","change_type":"removed","description":"auth/centrify: Remove the deprecated Centrify auth method plugin [[GH-27130](https://github.com/hashicorp/vault/pull/27130)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]","migration_hint":null},{"from_version":"1.16.22","to_version":"1.16.23","change_type":"breaking","description":"auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]","migration_hint":null}],"total":185,"note":"Curated major-version breaking changes. Always verify against the package's official changelog before migrating.","_cache":"miss"}