GitPedia
Home/hashicorp/vault/Changelog
hashicorp

hashicorp/vault

A tool for secrets management, encryption as a service, and privileged access management

30 Releases
Latest: 1w ago
v2.0.2Latest
ryancragunryancragun·1w ago·June 5, 2026
GitHub

📋 Changes

  • containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
  • secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
  • core: Bump Go version to 1.26.4
  • secrets/azure (enterprise): Update plugin to [v0.26.4+ent](https://github.com/hashicorp/vault-plugin-secrets-azure-enterprise/releases/tag/v0.26.4+ent)
  • plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
  • ui/transit: Fix key version dropdown selected state when editing a transit key.
v2.0.1
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·3w ago·May 19, 2026
GitHub

📋 Changes

  • containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add IPC_LOCK capabilities when running the vault container.
  • api: Update golang.org/x/net to resolve GO-2026-4918"
  • core/identity: reject wildcards in rendered identity templates
  • core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
  • core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
  • core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
  • core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
  • core: Update golang.org/x/net to resolve GO-2026-4918"
  • + 59 more
v2.0.0
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·2mo ago·April 14, 2026
GitHub

📋 Changes

  • sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.
  • Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
  • Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
  • api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
  • api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
  • auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
  • auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
  • core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.
  • + 221 more
v2.0.0-rc1Pre-release
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·2mo ago·April 3, 2026
GitHub
v1.21.4
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·3mo ago·March 5, 2026
GitHub

📋 Changes

  • Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
  • Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
  • vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
  • vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
  • core: Bump Go version to 1.25.7
  • mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
  • ui: Remove ability to bulk delete secrets engines from the list view.
  • core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
  • + 12 more
v1.21.3
ej-hashiej-hashi·3mo ago·March 4, 2026
GitHub

📦 February 05, 2026

  • SECURITY:
  • auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
  • CHANGES:
  • core: Bump Go version to 1.25.6
  • FEATURES:
  • UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries
  • IMPROVEMENTS:
  • core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
  • + 10 more
v1.21.2
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·5mo ago·January 7, 2026
GitHub

📦 January 07, 2026

  • CHANGES:
  • auth/oci: bump plugin to v0.20.1
  • core: Bump Go version to 1.25.5
  • packaging: Container images are now exported using a compressed OCI image layout.
  • packaging: UBI container images are now built on the UBI 10 minimal image.
  • secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
  • storage: Upgrade aerospike client library to v8.
  • IMPROVEMENTS:
  • + 17 more
v1.21.1
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·6mo ago·November 19, 2025
GitHub

📦 November 20, 2025

  • SECURITY:
  • auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
  • ui: disable scarf analytics for ui builds
  • CHANGES:
  • auth/kubernetes: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-kubernetes/releases/tag/v0.23.1)
  • auth/saml: Update plugin to [v0.7.0](https://github.com/hashicorp/vault-plugin-auth-saml/releases/tag/v0.7.0)
  • auth/saml: Update plugin to v0.7.1, which adds the environment variable VAULT_SAML_DENY_INTERNAL_URLS to allow prevention of idp_metadata_url, idp_sso_url, or acs_urls fields from containing URLs that resolve to internal IP addresses
  • core: Bump Go version to 1.25.4
  • + 42 more
v1.21.0
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·7mo ago·October 22, 2025
GitHub
v1.21.0-rc1Pre-release
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·8mo ago·October 10, 2025
GitHub
v1.20.4
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·8mo ago·September 24, 2025
GitHub
v1.20.3
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·9mo ago·August 28, 2025
GitHub
v1.20.2
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·10mo ago·August 6, 2025
GitHub

📦 August 06, 2025

  • SECURITY:
  • auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [[GH-31427](https://github.com/hashicorp/vault/pull/31427),[HCSEC-2025-20](https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092)].
  • BUG FIXES:
  • agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [[GH-31392](https://github.com/hashicorp/vault/pull/31392)]
  • identity/mfa: revert cache entry change from #31217 and document cache entry values [[GH-31421](https://github.com/hashicorp/vault/pull/31421)]
v1.20.1
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·10mo ago·July 24, 2025
GitHub
v1.20.0
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·11mo ago·June 25, 2025
GitHub

📦 June 25, 2025

  • SECURITY:
  • core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [[GH-30794](https://github.com/hashicorp/vault/pull/30794)]
  • CHANGES:
  • UI: remove outdated and unneeded js string extensions [[GH-29834](https://github.com/hashicorp/vault/pull/29834)]
  • activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
  • activity (enterprise): provided values for `start_time` and `end_time` in `sys/internal/counters/activity` are aligned to the corresponding billing period.
  • activity: provided value for `end_time` in `sys/internal/counters/activity` is now capped at the end of the last completed month. [[GH-30164](https://github.com/hashicorp/vault/pull/30164)]
  • api: Update the default API client to check for the `Retry-After` header and, if it exists, wait for the specified duration before retrying the request. [[GH-30887](https://github.com/hashicorp/vault/pull/30887)]
  • + 156 more
v1.20.0-rc2Pre-release
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·12mo ago·June 17, 2025
GitHub
v1.20.0-rc1Pre-release
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·June 12, 2025
GitHub

📦 June 11, 2025

  • SECURITY:
  • core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [[GH-30794](https://github.com/hashicorp/vault/pull/30794)]
  • CHANGES:
  • UI: remove outdated and unneeded js string extensions [[GH-29834](https://github.com/hashicorp/vault/pull/29834)]
  • activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
  • activity (enterprise): provided values for `start_time` and `end_time` in `sys/internal/counters/activity` are aligned to the corresponding billing period.
  • activity: provided value for `end_time` in `sys/internal/counters/activity` is now capped at the end of the last completed month. [[GH-30164](https://github.com/hashicorp/vault/pull/30164)]
  • auth/alicloud: Update plugin to v0.21.0 [[GH-30810](https://github.com/hashicorp/vault/pull/30810)]
  • + 137 more
v1.19.5
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·May 29, 2025
GitHub

📦 May 30, 2025

  • Enterprise LTS: Vault Enterprise 1.19 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
  • CHANGES:
  • database/snowflake: Update plugin to v0.13.1 [[GH-30775](https://github.com/hashicorp/vault/pull/30775)]
  • IMPROVEMENTS:
  • plugins: Support registration of CE plugins with extracted artifact directory. [[GH-30673](https://github.com/hashicorp/vault/pull/30673)]
  • BUG FIXES:
  • ui: Fix broken link to Hashicorp Vault developer site in the Web REPL help. [[GH-30670](https://github.com/hashicorp/vault/pull/30670)]
v1.19.4
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·May 16, 2025
GitHub

📦 May 16, 2025

  • CHANGES:
  • Update vault-plugin-auth-cf to v0.20.1 [[GH-30586](https://github.com/hashicorp/vault/pull/30586)]
  • auth/azure: Update plugin to v0.20.4 [[GH-30543](https://github.com/hashicorp/vault/pull/30543)]
  • core: Bump Go version to 1.24.3.
  • IMPROVEMENTS:
  • Namespaces (enterprise): allow a root token to relock a namespace
  • core (enterprise): update to FIPS 140-3 cryptographic module in the FIPS builds.
  • core: Updated code and documentation to support FIPS 140-3 compliant algorithms. [[GH-30576](https://github.com/hashicorp/vault/pull/30576)]
  • + 8 more
v1.19.3
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·April 30, 2025
GitHub

📦 April 30, 2025

  • CHANGES:
  • auth/jwt: Update plugin to v0.23.2 [[GH-30434](https://github.com/hashicorp/vault/pull/30434)]
  • BUG FIXES:
  • core (enterprise): fix issue with errors being swallowed on failed HSM logins.
  • database: Prevent static roles created in versions prior to 1.15.0 from rotating on backend restart. [[GH-30320](https://github.com/hashicorp/vault/pull/30320)]
  • database: no longer incorrectly add an "unrecognized parameters" warning for certain SQL database secrets config operations when another warning is returned [[GH-30327](https://github.com/hashicorp/vault/pull/30327)]
  • identity: Fix non-deterministic merge behavior when two entities have conflicting local aliases. [[GH-30390](https://github.com/hashicorp/vault/pull/30390)]
  • plugins: plugin registration should honor the `plugin_tmpdir` config [[GH-29978](https://github.com/hashicorp/vault/pull/29978)]
  • + 1 more
v1.19.2
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·April 18, 2025
GitHub

📦 April 18, 2025

  • CHANGES:
  • core: Bump Go version to 1.23.7
  • core: Bump Go version to 1.23.8
  • secrets/openldap: Update plugin to v0.15.4 [[GH-30279](https://github.com/hashicorp/vault/pull/30279)]
  • BUG FIXES:
  • secrets/openldap: Prevent static role rotation on upgrade when `NextVaultRotation` is nil. Fixes an issue where static roles were unexpectedly rotated after upgrade due to a missing `NextVaultRotation` value. Now sets it to either `LastVaultRotation + RotationPeriod` or `now + RotationPeriod`. [[GH-30265](https://github.com/hashicorp/vault/pull/30265)]
  • secrets/pki (enterprise): Address a parsing bug that rejected CMPv2 requests containing a validity field.
  • secrets/pki: fix a bug where key_usage was ignored when generating root certificates, and signing certain intermediate certificates. [[GH-30034](https://github.com/hashicorp/vault/pull/30034)]
  • + 1 more
v1.19.1
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·April 4, 2025
GitHub

📦 April 4, 2025

  • Enterprise LTS: Vault Enterprise 1.19 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
  • CHANGES:
  • UI: remove outdated and unneeded js string extensions [[GH-29834](https://github.com/hashicorp/vault/pull/29834)]
  • auth/azure: Update plugin to v0.20.2. Login requires `resource_group_name`, `vm_name`, and `vmss_name` to match token claims [[GH-30052](https://github.com/hashicorp/vault/pull/30052)]
  • auth/azure: Update plugin to v0.20.3 [[GH-30082](https://github.com/hashicorp/vault/pull/30082)]
  • auth/gcp: Update plugin to v0.20.2 [[GH-30081](https://github.com/hashicorp/vault/pull/30081)]
  • core: Verify that the client IP address extracted from an X-Forwarded-For header is a valid IPv4 or IPv6 address [[GH-29774](https://github.com/hashicorp/vault/pull/29774)]
  • secrets/azure: Update plugin to v0.21.2 [[GH-30037](https://github.com/hashicorp/vault/pull/30037)]
  • + 22 more
v1.19.0
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·March 5, 2025
GitHub

📦 March 5, 2025

  • Enterprise LTS: Vault Enterprise 1.19 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
  • SECURITY:
  • raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241115202008-166203013d8e
  • raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.2.0
  • CHANGES:
  • agent/config: Configuration values including IPv6 addresses will be automatically translated and displayed conformant to RFC-5952 §4. [[GH-29517](https://github.com/hashicorp/vault/pull/29517)]
  • api: Add to sys/health whether the node has been removed from the HA cluster. If the node has been removed, return code 530 by default or the value of the `removedcode` query parameter. [[GH-28991](https://github.com/hashicorp/vault/pull/28991)]
  • api: Add to sys/health whether the standby node has been able to successfully send heartbeats to the active node and the time in milliseconds since the last heartbeat. If the standby has been unable to send a heartbeat, return code 474 by default or the value of the `haunhealthycode` query parameter. [[GH-28991](https://github.com/hashicorp/vault/pull/28991)]
  • + 219 more
v1.18.5
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·February 24, 2025
GitHub
v1.19.0-rc1Pre-release
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·February 20, 2025
GitHub

📦 February 21, 2025

  • SECURITY:
  • raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241115202008-166203013d8e
  • raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.2.0
  • CHANGES:
  • api: Add to sys/health whether the node has been removed from the HA cluster. If the node has been removed, return code 530 by default or the value of the `removedcode` query parameter. [[GH-28991](https://github.com/hashicorp/vault/pull/28991)]
  • api: Add to sys/health whether the standby node has been able to successfully send heartbeats to the active node and the time in milliseconds since the last heartbeat. If the standby has been unable to send a heartbeat, return code 474 by default or the value of the `haunhealthycode` query parameter. [[GH-28991](https://github.com/hashicorp/vault/pull/28991)]
  • auth/alicloud: Update plugin to v0.20.0 [[GH-29613](https://github.com/hashicorp/vault/pull/29613)]
  • auth/azure: Update plugin to v0.19.1 [[GH-28712](https://github.com/hashicorp/vault/pull/28712)]
  • + 203 more
v1.18.4
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·January 30, 2025
GitHub

📦 January 30, 2025

  • CHANGES:
  • auth/cf: Update plugin to v0.19.1 [[GH-29295](https://github.com/hashicorp/vault/pull/29295)]
  • sdk: Updated golang and dependency versions to be consistent across core, API, SDK to address [[GO-2024-3333](https://pkg.go.dev/vuln/GO-2024-3333)] and ensure version consistency [[GH-29422](https://github.com/hashicorp/vault/pull/29422)]
  • IMPROVEMENTS:
  • plugins (enterprise): The Database secrets engine now allows skipping the automatic rotation of static roles during import.
  • events (enterprise): Use the `path` event metadata field when authorizing a client's `subscribe` capability for consuming an event, instead of requiring `data_path` to be present in the event metadata.
  • ui: Adds navigation for LDAP hierarchical libraries [[GH-29293](https://github.com/hashicorp/vault/pull/29293)]
  • ui: Adds params to postgresql database to improve editing a connection in the web browser. [[GH-29200](https://github.com/hashicorp/vault/pull/29200)]
  • + 11 more
v1.18.3
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·December 18, 2024
GitHub

📦 December 18, 2024

  • CHANGES:
  • secrets/openldap: Update plugin to v0.14.4 [[GH-29131](https://github.com/hashicorp/vault/pull/29131)]
  • secrets/pki: Enforce the issuer constraint extensions (extended key usage, name constraints, issuer name) when issuing or signing leaf certificates. For more information see [PKI considerations](https://developer.hashicorp.com/vault/docs/secrets/pki/considerations#issuer-constraints-enforcement) [[GH-29045](https://github.com/hashicorp/vault/pull/29045)]
  • IMPROVEMENTS:
  • auth/okta: update to okta sdk v5 from v2. Transitively updates go-jose dependency to >=3.0.3 to resolve GO-2024-2631. See https://github.com/okta/okta-sdk-golang/blob/master/MIGRATING.md for details on changes. [[GH-28121](https://github.com/hashicorp/vault/pull/28121)]
  • core: Added new `enable_post_unseal_trace` and `post_unseal_trace_directory` config options to generate Go traces during the post-unseal step for debug purposes. [[GH-28895](https://github.com/hashicorp/vault/pull/28895)]
  • sdk: Add Vault build date to system view plugin environment response [[GH-29082](https://github.com/hashicorp/vault/pull/29082)]
  • ui: Replace KVv2 json secret details view with Hds::CodeBlock component allowing users to search the full secret height. [[GH-28808](https://github.com/hashicorp/vault/pull/28808)]
  • + 10 more
v1.18.2
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·November 21, 2024
GitHub

📦 November 21, 2024

  • SECURITY:
  • raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241115202008-166203013d8e
  • CHANGES:
  • auth/azure: Update plugin to v0.19.2 [[GH-28848](https://github.com/hashicorp/vault/pull/28848)]
  • core/ha (enterprise): Failed attempts to become a performance standby node are now using an exponential backoff instead of a
  • 10 second delay in between retries. The backoff starts at 2s and increases by a factor of two until reaching
  • the maximum of 16s. This should make unsealing of the node faster in some cases.
  • login (enterprise): Return a 500 error during logins when performance standby nodes make failed gRPC requests to the active node. [[GH-28807](https://github.com/hashicorp/vault/pull/28807)]
  • + 19 more
v1.18.1
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·October 30, 2024
GitHub

📦 October 30, 2024

  • CHANGES:
  • auth/azure: Update plugin to v0.19.1 [[GH-28712](https://github.com/hashicorp/vault/pull/28712)]
  • secrets/azure: Update plugin to v0.20.1 [[GH-28699](https://github.com/hashicorp/vault/pull/28699)]
  • secrets/openldap: Update plugin to v0.14.1 [[GH-28479](https://github.com/hashicorp/vault/pull/28479)]
  • secrets/openldap: Update plugin to v0.14.2 [[GH-28704](https://github.com/hashicorp/vault/pull/28704)]
  • secrets/openldap: Update plugin to v0.14.3 [[GH-28780](https://github.com/hashicorp/vault/pull/28780)]
  • IMPROVEMENTS:
  • core: Add a mount tuneable that trims trailing slashes of request paths during POST. Needed to support CMPv2 in PKI. [[GH-28752](https://github.com/hashicorp/vault/pull/28752)]
  • + 15 more
v1.18.0
hc-github-team-es-release-engineeringhc-github-team-es-release-engineering·1y ago·October 9, 2024
GitHub

📋 Changes

  • activity (enterprise): filter all fields in client count responses by the request namespace [[GH-27790](https://github.com/hashicorp/vault/pull/27790)]
  • activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [[GH-27830](https://github.com/hashicorp/vault/pull/27830)]
  • activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time
  • activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time
  • activity: The [activity export API](https://developer.hashicorp.com/vault/api-docs/system/internal-counters#activity-export) now requires the `sudo` ACL capability. [[GH-27846](https://github.com/hashicorp/vault/pull/27846)]
  • activity: The [activity export API](https://developer.hashicorp.com/vault/api-docs/system/internal-counters#activity-export) now responds with a status of 204 instead 400 when no data exists within the time range specified by `start_time` and `end_time`. [[GH-28064](https://github.com/hashicorp/vault/pull/28064)]
  • activity: The startTime will be set to the start of the current billing period by default.
  • api: Update backoff/v3 to backoff/v4.3.0 [[GH-26868](https://github.com/hashicorp/vault/pull/26868)]
  • + 167 more
View all releases on GitHub
← Back to vault wiki