Vault - Package Updates

Package Updates

[1.82.0]

• Update vault to 1.21.0
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
• activity: Renamed timestamp in export API response to token_creation_time.
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
• AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine.
• KV v2 Version Attribution: Vault now includes attribution metadata for versioned KV secrets. This allows lookup of attribution information for each version of KV v2 secrets from CLI and API.
• Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
• activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload.
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load.
• auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
• core: Role based quotas now work for cert auth

Package Updates

[1.82.1]

• Update vault to 1.21.1
• Full Changelog

Package Updates

[1.82.2]

• Update vault to 1.21.2
• Full Changelog
• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.
• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.

Package Updates

[1.82.4]

• Update vault to 1.21.4
• Full Changelog

Package Updates

[1.82.5]

• Fixup doc URL

Package Updates

[1.83.0]

• Update vault to 2.0.0
• Full Changelog
• PKI External CA (Enterprise): A new plugin that provides the ability to acquire PKI certificates from Public CA providers through the ACME protocol
• IBM PAO License Integration: Added IBM PAO license support, allowing usage of Vault Enterprise with an IBM PAO license key.
• A new configuration stanza license_entitlement is required in the Vault config to use an IBM license. For more details, see
• the License documentation.
• KMIP Bring Your Own CA: Add new API to manage multiple CAs for client verification and make it possible to import external CAs.
• LDAP Secrets Engine Enterprise Plugin: Add the new LDAP Secrets Engine Enterprise plugin. This enterprise version adds support for self-managed static roles and Rotation Manager support for automatic static role rotation. New plugin configurations can be set as "self managed", skipping the requirement for a bindpass field and allowing static roles to use their own password to rotate their credential. Automated static role credential rotation supports fine-grained scheduled rotations and retry policies through Vault Enterprise.
• Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
• Plugins (Enterprise): Allow overriding pinned version when creating and updating database engines
• Plugins (Enterprise): Allow overriding pinned version when enabling and tuning auth and secrets backends
• Template Integration for PublicPKICA: Vault Agent templates are now automatically re-rendered when a PKI external CA certificate is issued or renewed.

Package Updates

[1.83.1]

• fix: update doc links from /apps/ to /packages/

Package Updates

[1.83.2]

• Update vault to 2.0.1

Package Updates

[1.83.3]

• Update vault to 2.0.2
• Full Changelog
• containers: Remove cap_ipc_lock capability on vault at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call mlock() to lock memory. Operators should set disable_mlock = true in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
• secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
• plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
• ui/transit: Fix key version dropdown selected state when editing a transit key.

Package Updates

[1.83.4]

• Update vault to 2.0.3
• Full Changelog
• auth/radius: Added case_insensitive_names toggle to prevent username collisions and enable case-insensitive user handling.
• core/acl: Fix LIST ACL bypass where a trailing-slash request could skip a more-specific deny rule.
• core: Use constant-time recovery token comparison
• core/acl: LIST requests with a trailing slash now correctly respect more-specific deny policies. Previously, a deny on path "kv/*" { deny } could be bypassed for LIST kv/private/ if a broader allow path "kv/*" also existed. Policies relying on the previous (incorrect) behavior may now be denied.
• core: Vault will now redirect non-canonicalized paths (containing /./, /../, or //) to a cleaned path, instead of rejecting these requests
• AI Agent Support (Beta/Enterprise): Adds beta support for first-class AI agents. Adds an Agent Registry to register agents, and adds support for using Vault as an OAuth resource server for registered agent entities. When configured, allows OAuth 2.0 JWTs to be used to directly authorize requests to Vault, without needing a Vault token.
• core/rotationMgr: Fix storage routing for local mounts in namespaces to prevent metadata replication and ensure GDPR compliance.
• secrets/pki: Fix PKI certificate issuance not_after time to respect max TTL.
• secrets/transit: Add managed key support to Transit rewrap endpoint.
• storage/raft: reject performance_multiplier values less than or equal to zero