v1.21.4

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

v1.21.2

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

• core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
• rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
• sdk/rotation: Prevent rotation attempts on read-only storage.
• secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
• secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing.

BUG FIXES:

• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
• rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount.
• secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
• secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
• secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
• secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
• ui/pki: Fix handling of values that contain commas in list fields like crl_distribution_points.

v1.21.1

1.21.1

November 20, 2025

SECURITY:

• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• ui: disable scarf analytics for ui builds

CHANGES:

• auth/kubernetes: Update plugin to v0.23.1
• auth/saml: Update plugin to v0.7.0
• auth/saml: Update plugin to v0.7.1, which adds the environment variable VAULT_SAML_DENY_INTERNAL_URLS to allow prevention of idp_metadata_url, idp_sso_url, or acs_urls fields from containing URLs that resolve to internal IP addresses
• core: Bump Go version to 1.25.4
• secrets/azure: Update plugin to v0.25.0+ent
• secrets/pki: sign-verbatim endpoints no longer ignore basic constraints extension in CSRs, using them in generated certificates if isCA=false or returning an error if isCA=true

IMPROVEMENTS:

• Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.
• api: Added sudo-permissioned sys/reporting/scan endpoint which will output a set of files containing information about Vault state to the location specified by the reporting_scan_directory config item.
• auth/ldap: Require non-empty passwords on login command to prevent unauthenticated access to Vault.
• core/metrics: Reading and listing from a snapshot are now tracked via the vault.route.read-snapshot.{mount_point} and vault.route.list-snapshot.{mount_point} metrics.
• license utilization reporting (enterprise): Add metrics for the number of issued PKI certificates.
• policies: add warning about list comparison when using allowed_parameters or denied_parameters
• secret-sync: add parallelization support to sync and unsync operations for secret-key granularity associations
• secrets/pki: Include the certificate's AuthorityKeyID in response fields for API endpoints that issue, sign, or fetch certs.
• sys (enterprise): Add sys/billing/certificates API endpoint to retrieve the number of issued PKI certificates.
• ui/activity (enterprise): Add clarifying text to explain the "Initial Usage" column will only have timestamps for clients initially used after upgrading to version 1.21
• ui/activity (enterprise): Allow manual querying of client usage if there is a problem retrieving the license start time.
• ui/activity (enterprise): Reduce requests to the activity export API by only fetching new data when the dashboard initially loads or is manually refreshed.
• ui/activity (enterprise): Support filtering months dropdown by ISO timestamp or display value.
• ui/activity: Display total instead of new monthly clients for HCP managed clusters
• ui/pki: Adds support to configure server_flag, client_flag, code_signing_flag, and email_protection_flag parameters for creating/updating a role.

BUG FIXES:

• activity (enterprise): sys/internal/counters/activity outputs the correct mount type when called from a non root namespace
• auth/approle (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/aws (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/cert (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/github (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/ldap (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/okta (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/radius (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/scep (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth/userpass (enterprise): Role parameter alias_metadata now populates alias custom metadata field instead of alias metadata.
• auth: fixed panic when supplying integer as a lease_id in renewal.
• core/rotation: avoid shifting timezones by ignoring cron.SpecSchedule
• core: interpret all new rotation manager rotation_schedules as UTC to avoid inadvertent use of tz-local
• secrets/azure: Ensure proper installation of the Azure enterprise secrets plugin.
• secrets/pki: Return error when issuing/signing certs whose NotAfter is before NotBefore or whose validity period isn't contained by the CA's.
• ui (enterprise): Fix KV v2 not displaying secrets in namespaces.
• ui (enterprise): Fixes login form so input renders correctly when token is a preferred login method for a namespace.
• ui/pki: Fixes certificate parsing of the key_usage extension so details accurately reflect certificate values.
• ui/pki: Fixes creating and updating a role so basic_constraints_valid_for_non_ca is correctly set.
• ui: Fix KV v2 metadata list request failing for policies without a trailing slash in the path.
• ui: Resolved a regression that prevented users with create and update permissions on KV v1 secrets from opening the edit view. The UI now correctly recognizes these capabilities and allows editing without requiring full read access.
• ui: Update LDAP accounts checked-in table to display hierarchical LDAP libraries
• ui: Update LDAP library count to reflect the total number of nodes instead of number of directories

v1.21.0

[VAULT-40260] This is an automated pull request to build all artifact…

v1.21.0-rc1

[VAULT-40007] This is an automated pull request to build all artifact…

v1.20.4

[VAULT-39673] This is an automated pull request to build all artifact…

v1.20.3

[VAULT-39259] This is an automated pull request to build all artifact…

v1.20.2

August 06, 2025

SECURITY:

• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].

BUG FIXES:

• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #31217 and document cache entry values [GH-31421]

v1.20.1

[VAULT-38326] This is an automated pull request to build all artifact…