Vault - Package Updates

Package Updates

[1.80.5]

• Update vault to 1.19.5
• Full Changelog

Package Updates

[1.81.0]

• Update vault to 1.20.0
• Full Changelog
• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794],[HCSEC-2025-11]
• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]

Package Updates

[1.81.1]

• Update vault to 1.20.1
• Full Changelog

Package Updates

[1.81.2]

• Update vault to 1.20.2
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].
• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #​31217 and document cache entry values [GH-31421]

Package Updates

[1.81.3]

• Update vault to 1.20.3
• Full Changelog
• core: Bump Go version to 1.24.6. (ce56e14e)
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count. [GH-31069]
• sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.2, which also bumps github.com/docker/docker to v28.3.3+incompatible (8f172169)
• secrets/openldap (enterprise): update plugin to v0.16.1
• auth/ldap: add explicit logging to rotations in ldap [GH-31401]
• core (enterprise): improve rotation manager logging to include specific lines for rotation success and failure
• secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields. [GH-31402]
• secrets/transit: add logging on both success and failure of key rotation [GH-31420]
• ui: Use the Helios Design System Code Block component for all readonly code editors and use its Code Editor component for all other code editors [GH-30188]
• core (enterprise): fix a bug where issuing a token in a namespace used root auth configuration instead of namespace auth configuration

Package Updates

[1.81.4]

• Update vault to 1.20.4
• Full Changelog
• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. (ce4b4264)
• database/snowflake: Update plugin to v0.14.2 (9f06df77)
• Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions. (1fd38796)
• auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer. [GH-31501]
• secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot. (24cd1aa5)
• secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only). (0087af9d)
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. [GH-31438]
• core: Role based quotas now work for cert auth (fc775dea)
• sys/mounts: enable unsetting allowed_response_headers [GH-31555]
• ui: Fix page loading error when users navigate away from identity entities and groups list views. (81170963)

Package Updates

[1.82.0]

• Update vault to 1.21.0
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
• activity: Renamed timestamp in export API response to token_creation_time.
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
• AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine.
• KV v2 Version Attribution: Vault now includes attribution metadata for versioned KV secrets. This allows lookup of attribution information for each version of KV v2 secrets from CLI and API.
• Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
• activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload.
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load.
• auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
• core: Role based quotas now work for cert auth

Package Updates

[1.82.1]

• Update vault to 1.21.1
• Full Changelog

Package Updates

[1.82.2]

• Update vault to 1.21.2
• Full Changelog
• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.
• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.

Package Updates

[1.82.4]

• Update vault to 1.21.4
• Full Changelog