github hashicorp/vault v1.21.4
on GitHub

13 days ago

SECURITY:

  • Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
  • Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
  • vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
  • vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

  • core: Bump Go version to 1.25.7
  • mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
  • ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

  • core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
  • secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
  • secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

  • core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
  • core/identity (enterprise): Fix excessive logging when updating existing aliases
  • core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
  • plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
  • secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
  • secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
  • secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
  • secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
  • secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
  • secrets/pki: allow glob-style DNS names in alt_names.
Check out latest releases or
releases around hashicorp/vault v1.21.4

Don't miss a new vault release

NewReleases is sending notifications on new releases.

Get notifications