github.com/hashicorp/vault breaking changes

go

185 curated breaking changes across major versions of github.com/hashicorp/vault. Use this as a migration checklist before bumping dependencies.

View package health \u2192Known bugs \u2192
185
changes
Breaking changes by transition
  • 1.21.5 \u2192 2.0.0api

    api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.21.5 \u2192 2.0.0api

    api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.5 \u2192 2.0.0behavior

    http: Added configurable `max_token_header_size` listener option (default 8 KB) to bound the size of authentication token headers (`X-Vault-Token` and `Authorization: Bearer`), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level `MaxHeaderBytes` backstop is also now set on the HTTP server. Set `max_token_header_size = -1` to disable the limit.

  • 1.21.5 \u2192 2.0.0breaking

    auth/alicloud: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-alicloud/releases/tag/v0.23.1)

  • 1.21.5 \u2192 2.0.0breaking

    ui: disable scarf analytics for ui builds

  • 1.21.5 \u2192 2.0.0breaking

    vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229

  • 1.21.5 \u2192 2.0.0breaking

    vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394

  • 1.21.5 \u2192 2.0.0breaking

    Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.

  • 1.21.5 \u2192 2.0.0breaking

    go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.

  • 1.21.5 \u2192 2.0.0breaking

    secrets/ldap (enterprise): Static roles will be migrated from a plugin-managed queue to the Vault Enterprise Rotation Manager system. Static role migration progress can be checked and managed through a new static-migration endpoint. See the [LDAP documentation](https://developer.hashicorp.com/vault/docs/secrets/ldap#static-role-migration-to-rotation-manager) for more details on this process.

  • 1.21.5 \u2192 2.0.0breaking

    sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

  • 1.21.5 \u2192 2.0.0breaking

    Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229

  • 1.21.5 \u2192 2.0.0breaking

    Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503

  • 1.21.5 \u2192 2.0.0breaking

    auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client

  • 1.21.5 \u2192 2.0.0breaking

    auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

  • 1.21.5 \u2192 2.0.0breaking

    core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.21.5 \u2192 2.0.0breaking

    core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.

  • 1.21.5 \u2192 2.0.0breaking

    core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.5 \u2192 2.0.0breaking

    core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.

  • 1.21.5 \u2192 2.0.0breaking

    core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.21.5 \u2192 2.0.0breaking

    core: reject URL-encoded paths that do not specify a canonical path

  • 1.21.5 \u2192 2.0.0breaking

    sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.21.5 \u2192 2.0.0breaking

    sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.5 \u2192 2.0.0removed

    audit: A new top-level key called `supplemental_audit_data` can now appear within audit entries of type "response" within the request and response data structures. These new fields can contain data that further describe the request/response data and are mainly used for non-JSON based requests and responses to help auditing. The `audit-non-hmac-request-keys` and `audit-non-hmac-response-keys` apply to keys within `supplemental_audit_data` to remove the HMAC of the field values if so desired.

  • 1.21.5 \u2192 2.0.0removed

    core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.

  • 1.21.4 \u2192 1.21.5api

    api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.21.4 \u2192 1.21.5api

    transit (enterprise): Add context parameter to datakeys and derived-keys endpoint, to allow derived key encryption of the DEKs.

  • 1.21.4 \u2192 1.21.5api

    api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.4 \u2192 1.21.5behavior

    dockerfile: container will now run as vault user by default

  • 1.21.4 \u2192 1.21.5breaking

    secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs

  • 1.21.4 \u2192 1.21.5breaking

    sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

  • 1.21.4 \u2192 1.21.5breaking

    core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.21.4 \u2192 1.21.5breaking

    core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.

  • 1.21.4 \u2192 1.21.5breaking

    core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.4 \u2192 1.21.5breaking

    core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.

  • 1.21.4 \u2192 1.21.5breaking

    core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.21.4 \u2192 1.21.5breaking

    core: reject URL-encoded paths that do not specify a canonical path

  • 1.21.4 \u2192 1.21.5breaking

    sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.21.4 \u2192 1.21.5breaking

    sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.21.4 \u2192 1.21.5breaking

    core: Bump Go version to 1.25.9

  • 1.21.4 \u2192 1.21.5breaking

    core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)

  • 1.21.4 \u2192 1.21.5breaking

    config/listener: logs warnings on invalid x-forwarded-for configurations.

  • 1.21.4 \u2192 1.21.5breaking

    events (enterprise): Forward event notifications from primary to secondary clusters

  • 1.21.4 \u2192 1.21.5breaking

    pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification

  • 1.21.4 \u2192 1.21.5breaking

    secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.

  • 1.21.4 \u2192 1.21.5breaking

    secrets/transit: Improve import errors for non-PKCS#8 keys to clearly require PKCS#8.

  • 1.21.4 \u2192 1.21.5breaking

    audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.

  • 1.21.4 \u2192 1.21.5breaking

    auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication

  • 1.21.4 \u2192 1.21.5breaking

    core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.

  • 1.21.4 \u2192 1.21.5removed

    core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.

  • 1.20.9 \u2192 1.20.10api

    api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.20.9 \u2192 1.20.10api

    api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.20.9 \u2192 1.20.10behavior

    dockerfile: container will now run as vault user by default

  • 1.20.9 \u2192 1.20.10breaking

    sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

  • 1.20.9 \u2192 1.20.10breaking

    core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.20.9 \u2192 1.20.10breaking

    core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.

  • 1.20.9 \u2192 1.20.10breaking

    core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.20.9 \u2192 1.20.10breaking

    identity: Repair the integrity of duplicate and/or dangling entity aliases.

  • 1.20.9 \u2192 1.20.10breaking

    core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.

  • 1.20.9 \u2192 1.20.10breaking

    core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.

  • 1.20.9 \u2192 1.20.10breaking

    events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.

  • 1.20.9 \u2192 1.20.10breaking

    pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification

  • 1.20.9 \u2192 1.20.10breaking

    secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.

  • 1.20.9 \u2192 1.20.10breaking

    secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs

  • 1.20.9 \u2192 1.20.10breaking

    audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.

  • 1.20.9 \u2192 1.20.10breaking

    auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication

  • 1.20.9 \u2192 1.20.10breaking

    core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.

  • 1.20.9 \u2192 1.20.10breaking

    core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.20.9 \u2192 1.20.10breaking

    core: reject URL-encoded paths that do not specify a canonical path

  • 1.20.9 \u2192 1.20.10breaking

    sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.20.9 \u2192 1.20.10breaking

    sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.20.9 \u2192 1.20.10breaking

    core: Bump Go version to 1.25.9

  • 1.20.9 \u2192 1.20.10breaking

    core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)

  • 1.20.9 \u2192 1.20.10breaking

    config/listener: logs warnings on invalid x-forwarded-for configurations.

  • 1.20.9 \u2192 1.20.10removed

    core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.

  • 1.20.0 \u2192 1.20.1api

    openapi: Add OpenAPI support for secret recovery operations. [[GH-31331](https://github.com/hashicorp/vault/pull/31331)]

  • 1.20.0 \u2192 1.20.1api

    auth/scep (enterprise): enforce the token_bound_cidrs role parameter within SCEP roles

  • 1.20.0 \u2192 1.20.1api

    **Post-Quantum Cryptography Support**: Experimental support for PQC signatures with SLH-DSA in Transit.

  • 1.20.0 \u2192 1.20.1api

    ui: Fix capability checks for api resources with underscores to properly hide actions and dropdown items a user cannot perform [[GH-31271](https://github.com/hashicorp/vault/pull/31271)]

  • 1.20.0 \u2192 1.20.1breaking

    activity (enterprise): Fix `development_cluster` setting being overwritten on performance secondaries upon cluster reload. [[GH-31223](https://github.com/hashicorp/vault/pull/31223)]

  • 1.20.0 \u2192 1.20.1breaking

    audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]

  • 1.20.0 \u2192 1.20.1breaking

    auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)

  • 1.20.0 \u2192 1.20.1breaking

    core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]

  • 1.20.0 \u2192 1.20.1breaking

    secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]

  • 1.20.0 \u2192 1.20.1breaking

    auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]

  • 1.20.0 \u2192 1.20.1breaking

    core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]

  • 1.20.0 \u2192 1.20.1breaking

    Plugin Downloads (enterprise): add CLI `-download` option for plugin register (beta)

  • 1.20.0 \u2192 1.20.1breaking

    secrets/pki (enterprise): enable separately-configured logging for SCEP-enrollment.

  • 1.20.0 \u2192 1.20.1breaking

    secrets/pki: Add the digest OID when logging SCEP digest mismatch errors. [[GH-31232](https://github.com/hashicorp/vault/pull/31232)]

  • 1.20.0 \u2192 1.20.1breaking

    auto-reporting (enterprise): Clarify debug logs to accurately reflect when automated license utilization reporting is enabled or disabled, especially since manual reporting is always initialized.

  • 1.20.0 \u2192 1.20.1breaking

    core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.

  • 1.20.0 \u2192 1.20.1breaking

    kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.20.0 \u2192 1.20.1breaking

    plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.20.0 \u2192 1.20.1breaking

    product usage reporting (enterprise): Clarify debug logs to accurately reflect when anonymous product usage reporting is enabled or disabled, especially since manual reporting is always initialized.

  • 1.20.0 \u2192 1.20.1breaking

    replication (enterprise): Fix bug with mount invalidations consuming excessive memory.

  • 1.20.0 \u2192 1.20.1breaking

    secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.

  • 1.20.0 \u2192 1.20.1breaking

    secrets/gcp: Update to [email protected] to address more eventual consistency issues [[GH-31350](https://github.com/hashicorp/vault/pull/31350)]

  • 1.20.0 \u2192 1.20.1breaking

    ui: Fix kv v2 overview page from erroring if a user does not have access to the /subkeys endpoint and the policy check fails. [[GH-31136](https://github.com/hashicorp/vault/pull/31136)]

  • 1.20.0 \u2192 1.20.1breaking

    ui: Fix mutation of unwrapped data when keys contain underscores [[GH-31287](https://github.com/hashicorp/vault/pull/31287)]

  • 1.20.0 \u2192 1.20.1deprecated

    plugins: Clarify usage of sha256, command, and version for plugin registration of binary or artifact with API and CLI. Introduce new RegisterPluginDetailed and RegisterPluginWtihContextDetailed functions to API client to propagate response along with error, and mark RegisterPlugin and RegisterPluginWithContext as deprecated. [[GH-30811](https://github.com/hashicorp/vault/pull/30811)]

  • 1.19.6 \u2192 1.19.7breaking

    replication (enterprise): Fix bug with mount invalidations consuming excessive memory.

  • 1.19.6 \u2192 1.19.7breaking

    product usage reporting (enterprise): Clarify debug logs to accurately reflect when anonymous product usage reporting is enabled or disabled, especially since manual reporting is always initialized.

  • 1.19.6 \u2192 1.19.7breaking

    core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.

  • 1.19.6 \u2192 1.19.7breaking

    auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]

  • 1.19.6 \u2192 1.19.7breaking

    core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]

  • 1.19.6 \u2192 1.19.7breaking

    auto-reporting (enterprise): Clarify debug logs to accurately reflect when automated license utilization reporting is enabled or disabled, especially since manual reporting is always initialized.

  • 1.19.6 \u2192 1.19.7breaking

    kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.19.6 \u2192 1.19.7breaking

    plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.19.6 \u2192 1.19.7breaking

    secrets/gcp: Update to [email protected] to address more eventual consistency issues

  • 1.19.6 \u2192 1.19.7breaking

    secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.

  • 1.19.6 \u2192 1.19.7breaking

    audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]

  • 1.19.6 \u2192 1.19.7breaking

    auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)

  • 1.19.6 \u2192 1.19.7breaking

    core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]

  • 1.19.6 \u2192 1.19.7breaking

    secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]

  • 1.19.15 \u2192 1.19.16api

    api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.19.15 \u2192 1.19.16api

    api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.19.15 \u2192 1.19.16behavior

    dockerfile: container will now run as vault user by default

  • 1.19.15 \u2192 1.19.16behavior

    ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).

  • 1.19.15 \u2192 1.19.16breaking

    identity: Repair the integrity of duplicate and/or dangling entity aliases.

  • 1.19.15 \u2192 1.19.16breaking

    config/listener: logs warnings on invalid x-forwarded-for configurations.

  • 1.19.15 \u2192 1.19.16breaking

    sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

  • 1.19.15 \u2192 1.19.16breaking

    core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.19.15 \u2192 1.19.16breaking

    core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.

  • 1.19.15 \u2192 1.19.16breaking

    core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.19.15 \u2192 1.19.16breaking

    core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.

  • 1.19.15 \u2192 1.19.16breaking

    core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.

  • 1.19.15 \u2192 1.19.16breaking

    core: reject URL-encoded paths that do not specify a canonical path

  • 1.19.15 \u2192 1.19.16breaking

    sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5

  • 1.19.15 \u2192 1.19.16breaking

    sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.

  • 1.19.15 \u2192 1.19.16breaking

    core: Bump Go version to 1.25.9

  • 1.19.15 \u2192 1.19.16breaking

    core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)

  • 1.19.15 \u2192 1.19.16breaking

    pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification

  • 1.19.15 \u2192 1.19.16breaking

    secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.

  • 1.19.15 \u2192 1.19.16breaking

    audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.

  • 1.19.15 \u2192 1.19.16breaking

    auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication

  • 1.19.15 \u2192 1.19.16breaking

    core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.

  • 1.19.15 \u2192 1.19.16breaking

    core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.

  • 1.19.15 \u2192 1.19.16breaking

    events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.

  • 1.19.15 \u2192 1.19.16removed

    core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.

  • 1.18.11 \u2192 1.18.12breaking

    plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.18.11 \u2192 1.18.12breaking

    secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.

  • 1.18.11 \u2192 1.18.12breaking

    core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.

  • 1.18.11 \u2192 1.18.12breaking

    kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.18.11 \u2192 1.18.12breaking

    replication (enterprise): Fix bug with mount invalidations consuming excessive memory.

  • 1.18.11 \u2192 1.18.12breaking

    audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]

  • 1.18.11 \u2192 1.18.12breaking

    auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)

  • 1.18.11 \u2192 1.18.12breaking

    core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]

  • 1.18.11 \u2192 1.18.12breaking

    secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]

  • 1.18.11 \u2192 1.18.12breaking

    auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]

  • 1.18.11 \u2192 1.18.12breaking

    core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]

  • 1.16.31 \u2192 1.17.0api

    api: Upgrade from github.com/go-jose/go-jose/v3 v3.0.3 to github.com/go-jose/go-jose/v4 v4.0.1. [[GH-26527](https://github.com/hashicorp/vault/pull/26527)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/azure: Update plugin to v0.18.0 [[GH-27146](https://github.com/hashicorp/vault/pull/27146)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/gcp: Update plugin to v0.18.0 [[GH-27140](https://github.com/hashicorp/vault/pull/27140)]

  • 1.16.31 \u2192 1.17.0breaking

    database/couchbase: Update plugin to v0.11.0 [[GH-27145](https://github.com/hashicorp/vault/pull/27145)]

  • 1.16.31 \u2192 1.17.0breaking

    database/elasticsearch: Update plugin to v0.15.0 [[GH-27136](https://github.com/hashicorp/vault/pull/27136)]

  • 1.16.31 \u2192 1.17.0breaking

    database/mongodbatlas: Update plugin to v0.12.0 [[GH-27143](https://github.com/hashicorp/vault/pull/27143)]

  • 1.16.31 \u2192 1.17.0breaking

    database/redis-elasticache: Update plugin to v0.4.0 [[GH-27139](https://github.com/hashicorp/vault/pull/27139)]

  • 1.16.31 \u2192 1.17.0breaking

    database/redis: Update plugin to v0.3.0 [[GH-27117](https://github.com/hashicorp/vault/pull/27117)]

  • 1.16.31 \u2192 1.17.0breaking

    database/snowflake: Update plugin to v0.11.0 [[GH-27132](https://github.com/hashicorp/vault/pull/27132)]

  • 1.16.31 \u2192 1.17.0breaking

    sdk: String templates now have a maximum size of 100,000 characters. [[GH-26110](https://github.com/hashicorp/vault/pull/26110)]

  • 1.16.31 \u2192 1.17.0breaking

    secrets/ad: Update plugin to v0.18.0 [[GH-27172](https://github.com/hashicorp/vault/pull/27172)]

  • 1.16.31 \u2192 1.17.0breaking

    secrets/alicloud: Update plugin to v0.17.0 [[GH-27134](https://github.com/hashicorp/vault/pull/27134)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/cf: Update plugin to v0.17.0 [[GH-27161](https://github.com/hashicorp/vault/pull/27161)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/alicloud: Update plugin to v0.18.0 [[GH-27133](https://github.com/hashicorp/vault/pull/27133)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/jwt: Update plugin to v0.20.3 that resolves a security issue with validing JWTs [[GH-26890](https://github.com/hashicorp/vault/pull/26890), [HCSEC-2024-11](https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770)]

  • 1.16.31 \u2192 1.17.0breaking

    audit: breaking change - Vault now allows audit logs to contain 'correlation-id' and 'x-correlation-id' headers when they

  • 1.16.31 \u2192 1.17.0breaking

    auth/jwt: Update plugin to v0.20.2 [[GH-26291](https://github.com/hashicorp/vault/pull/26291)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/kerberos: Update plugin to v0.12.0 [[GH-27177](https://github.com/hashicorp/vault/pull/27177)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/kubernetes: Update plugin to v0.19.0 [[GH-27186](https://github.com/hashicorp/vault/pull/27186)]

  • 1.16.31 \u2192 1.17.0breaking

    auth/oci: Update plugin to v0.16.0 [[GH-27142](https://github.com/hashicorp/vault/pull/27142)]

  • 1.16.31 \u2192 1.17.0breaking

    core (enterprise): Seal High Availability (HA) must be enabled by `enable_multiseal` in configuration.

  • 1.16.31 \u2192 1.17.0breaking

    core/identity: improve performance for secondary nodes receiving identity related updates through replication [[GH-27184](https://github.com/hashicorp/vault/pull/27184)]

  • 1.16.31 \u2192 1.17.0breaking

    core: Bump Go version to 1.22.4

  • 1.16.31 \u2192 1.17.0breaking

    core: return an additional "invalid token" error message in 403 response when the provided request token is expired,

  • 1.16.31 \u2192 1.17.0removed

    auth/centrify: Remove the deprecated Centrify auth method plugin [[GH-27130](https://github.com/hashicorp/vault/pull/27130)]

  • 1.16.22 \u2192 1.16.23breaking

    plugins: Fix panics that can occur when a plugin audits a request or response before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.16.22 \u2192 1.16.23breaking

    secrets-sync (enterprise): Unsyncing secret-key granularity associations will no longer give a misleading error about a failed unsync operation that did indeed succeed.

  • 1.16.22 \u2192 1.16.23breaking

    audit: **breaking change** privileged vault operator may execute code on the underlying host (CVE-2025-6000). Vault will not unseal if the only configured file audit device has executable permissions (e.g., 0777, 0755). See recent [breaking change](https://developer.hashicorp.com/vault/docs/updates/important-changes#breaking-changes) docs for more details. [[GH-31211](https://github.com/hashicorp/vault/pull/31211),[HCSEC-2025-14](https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033)]

  • 1.16.22 \u2192 1.16.23breaking

    core/mfa: vault login mfa bypass of rate limiting and totp token reuse (CVE-2025-6015) [[GH-31217](https://github.com/hashicorp/vault/pull/31297),[HCSEC-2025-19](https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038)]

  • 1.16.22 \u2192 1.16.23breaking

    core/seal (enterprise): Fix a bug that caused the seal rewrap process to abort in the presence of partially sealed entries.

  • 1.16.22 \u2192 1.16.23breaking

    auth/userpass: timing side-channel in vault's userpass auth method (CVE-2025-6011)[HCSEC-2025-15](https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034)

  • 1.16.22 \u2192 1.16.23breaking

    core/login: vault userpass and ldap user lockout bypass (CVE-2025-6004). update alias lookahead to respect username case for LDAP and username/password. [[GH-31352](https://github.com/hashicorp/vault/pull/31352),[HCSEC-2025-16](https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035)]

  • 1.16.22 \u2192 1.16.23breaking

    secrets/totp: vault totp secrets engine code reuse (CVE-2025-6014) [[GH-31246](https://github.com/hashicorp/vault/pull/31246),[HCSEC-2025-17](https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036)]

  • 1.16.22 \u2192 1.16.23breaking

    kmip (enterprise): Fix a panic that can happen when a KMIP client makes a request before the Vault server has finished unsealing. [[GH-31266](https://github.com/hashicorp/vault/pull/31266)]

  • 1.16.22 \u2192 1.16.23breaking

    auth/cert: vault certificate auth method did not validate common name for non-ca certificates (CVE-2025-6037). test non-CA cert equality on login matching instead of individual fields. [[GH-31210](https://github.com/hashicorp/vault/pull/31210),[HCSEC-2025-18](https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037)]

API access

Get this data programmatically \u2014 free, no authentication.

curl https://depscope.dev/api/breaking/go/github.com/hashicorp/vault
github.com/hashicorp/vault breaking changes — Go migration guide | DepScope