HashiCorp

Consul 2.0 shipped on May 22 — the last of the four major-version milestones to go GA.

The full portfolio now runs at major versions. Terraform 1.15, Vault 2.0, Nomad 2.0, and Consul 2.0 all landed within roughly a month of each other. Consul 2.0 adds a global rate-limiter config entry (Enterprise) for cluster-wide RPC throttling without server restarts, SDS certificate support for API Gateway listeners, and multi-port named-port service routing (Enterprise). HTTP request path normalization on API and terminating gateways closes a CVE-2024-10005 L7 RBAC bypass.¹

Nomad 2.0.x patched two security advisories. The 2.0.1 release addressed CVE-2026-7474 (unintended code execution in dynamic host volumes) and CVE-2026-6959 (logging FIFO symlink swap attacks).² Breaking: allocation log directories are now bind-mounted read-only for drivers that support filesystem isolation. CLI improvements in 2.0.1 include retry on nomad job run monitoring and auto-expansion of nomad exec -it to -i -t.³

Terraform 1.15 patch activity continued through May. 1.15.4 added Linux s390x builds and fixed a bug preventing provider binaries from installing into symlinked directories.⁴ The alpha track (1.16.0-alpha20260513) introduced a store block in terraform_data for ephemeral and sensitive values, and a -json flag on workspace list.⁵

CVE patches consolidated across the 1.21.x Vault line. 1.21.4 resolved vulnerabilities in cloudflare/circl and filippo.io/edwards25519; 1.21.3 added UI recognition of Hashi-built external plugins and GCP managed-key workload identity federation support.⁶⁷ Vault 2.0.1 followed as a post-GA patch.