Important: Please read the migration guide.
CVE fixed:
- CVE-2026-48020 (Advisory GHSA-xf64-8mw2-4gr2)
Bug fixes:
- [tls] Compute resolved tlsOptions after applying models (#13291 @rtribotte)
- [middleware, authentication] Add error on basic auth build if users is empty (#13195 @rtribotte)
- [k8s/ingress] Avoid ingress path matcher injection and backport 11d2514 (#13227 @rtribotte)
- [server] Move snicheck to ctx instead of simulated routing (#13214 @juliens)
- [middleware] Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation (#13215 @rtribotte)
- [server] Bump golang.org/x/net to v0.55.0 (#13251 @kevinpollet)
- [server] Bump golang.org/x/crypto to v0.52.0 (#13276 @rtribotte)