February 05, 2026
SECURITY:
auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
CHANGES:
core: Bump Go version to 1.25.6
FEATURES:
UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries
IMPROVEMENTS:
core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.
BUG FIXES:
agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector