BREAKING CHANGES:
- logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]
SECURITY:
- dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
- logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
- sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
- ui: Upgraded Ember to 6.10 [GH-27674]
IMPROVEMENTS:
- build: Update Go toolchain to 1.26.3 [GH-27924]
- drivers: include volume RequestName within mount config information if available [GH-27710]
- server: RPC dial timeout is configurable [GH-27862]
- services: warn on job submit when job has services but no shutdown_delay [GH-27782]
BUG FIXES:
- api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
- core: avoid setting job to dead while waiting for allocations to reschedule [GH-27852]
- csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
- deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
- drivers: kill plugin instance on dispense failure [GH-27711]
- job (Enterprise): renabled use of multiple vault namespaces in a single job
- plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
- scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]