Vault - Package Updates

Package Updates

[1.80.2]

• Update vault to 1.19.2
• Full Changelog
• core: Bump Go version to 1.23.8
• secrets/openldap: Update plugin to v0.15.4 [GH-30279]
• secrets/openldap: Prevent static role rotation on upgrade when NextVaultRotation is nil. Fixes an issue where static roles were unexpectedly rotated after upgrade due to a missing NextVaultRotation value. Now sets it to either LastVaultRotation + RotationPeriod or now + RotationPeriod. [GH-30265]
• secrets/pki (enterprise): Address a parsing bug that rejected CMPv2 requests containing a validity field.
• secrets/pki: fix a bug where key_usage was ignored when generating root certificates, and signing certain intermediate certificates. [GH-30034]
• secrets/transit: fix a panic when rotating on a managed key returns an error [GH-30214]

Package Updates

[1.80.3]

• Update vault to 1.19.3
• Full Changelog

Package Updates

[1.80.4]

• Update vault to 1.19.4
• Full Changelog
• Update vault-plugin-auth-cf to v0.20.1 GH-30586]
• auth/azure: Update plugin to v0.20.4 GH-30543]
• core: Bump Go version to 1.24.3.
• Namespaces (enterprise): allow a root token to relock a namespace
• core (enterprise): update to FIPS 140-3 cryptographic module in the FIPS builds.
• core: Updated code and documentation to support FIPS 140-3 compliant algorithms. GH-30576]
• core: support for X25519MLKEM768 (post quantum key agreement) in the Go TLS stack. GH-30603]
• ui: Replaces all instances of the deprecated event.keyCode with event.key GH-30493]
• core (enterprise): fix a bug where plugin automated root rotations would stop after seal/unseal operations
• plugins (enterprise): Fix an issue where Enterprise plugins can't run on a standby node when it becomes active because standby nodes don't extract the artifact when the plugin is registered. Remove extracting from Vault and require the operator to place the extracted artifact in the plugin directory before registration.

Package Updates

[1.80.5]

• Update vault to 1.19.5
• Full Changelog

Package Updates

[1.81.0]

• Update vault to 1.20.0
• Full Changelog
• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794],[HCSEC-2025-11]
• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]

Package Updates

[1.81.1]

• Update vault to 1.20.1
• Full Changelog

Package Updates

[1.81.2]

• Update vault to 1.20.2
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].
• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #​31217 and document cache entry values [GH-31421]

Package Updates

[1.81.3]

• Update vault to 1.20.3
• Full Changelog
• core: Bump Go version to 1.24.6. (ce56e14e)
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count. [GH-31069]
• sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.2, which also bumps github.com/docker/docker to v28.3.3+incompatible (8f172169)
• secrets/openldap (enterprise): update plugin to v0.16.1
• auth/ldap: add explicit logging to rotations in ldap [GH-31401]
• core (enterprise): improve rotation manager logging to include specific lines for rotation success and failure
• secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields. [GH-31402]
• secrets/transit: add logging on both success and failure of key rotation [GH-31420]
• ui: Use the Helios Design System Code Block component for all readonly code editors and use its Code Editor component for all other code editors [GH-30188]
• core (enterprise): fix a bug where issuing a token in a namespace used root auth configuration instead of namespace auth configuration

Package Updates

[1.81.4]

• Update vault to 1.20.4
• Full Changelog
• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. (ce4b4264)
• database/snowflake: Update plugin to v0.14.2 (9f06df77)
• Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions. (1fd38796)
• auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer. [GH-31501]
• secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot. (24cd1aa5)
• secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only). (0087af9d)
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. [GH-31438]
• core: Role based quotas now work for cert auth (fc775dea)
• sys/mounts: enable unsetting allowed_response_headers [GH-31555]
• ui: Fix page loading error when users navigate away from identity entities and groups list views. (81170963)

Package Updates

[1.82.0]

• Update vault to 1.21.0
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
• activity: Renamed timestamp in export API response to token_creation_time.
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
• AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine.
• KV v2 Version Attribution: Vault now includes attribution metadata for versioned KV secrets. This allows lookup of attribution information for each version of KV v2 secrets from CLI and API.
• Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
• activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload.
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load.
• auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
• core: Role based quotas now work for cert auth