Boundary

0.21.2 (2026/04/06)

New and Improved

• cli: Added optional flags -sort-by and -sort-direction to boundary search. These flags can be used to control sorting when searching the client cache and the resource is sessions or targets. (PR)
• The client cache search API now supports the sort_by and sort_direction query parameters when searching sessions or targets. (PR)

0.21.1 (2026/02/10)

Security

• Go version bumped to 1.25.7 to address CVE-2025-61730 (PR)
• Go Cryptography dependency update to address CVE-2025-58181 and CVE-2025-47914 (PR)

0.21.0 (2025/11/12)

New and Improved

• ui: Optimized loading of table filters and improved table search support (PR)

Bug fixes

• ui: Show username for OIDC auth method in user menu (PR)

0.19.2 (2025/04/28)

New and Improved

• ui: Populate subject for OIDC account name displays. (PR).
• ui: Improved performance when initially fetching large sets of resources. (PR).
• ui: Improved search & filtering behavior when using search field. (PR).

Bug fixes

• Fixed an issue in the worker where closing an SSH channel failed to exit a loop, which would cause a massive spike in CPU usage over time. This change only affects Enterprise.
• ui: Fix an issue where the user could not change the key_type of a Vault SSH Certificate credential library. (PR).

0.19.0 (2025/01/31)

New and Improved

• Introduces soft-delete for users within the client cache. (PR).

• GCP dynamic host catalog: Add dynamic host catalog support for discovering GCP Compute Engine VM Instances. (PR).

• The worker domain has been refactored to create clear domain functions for worker operations, improve readability and maintainability of worker queries, and improve DB performance. (PR).

• Adds support for dual-stack networking for AWS operations. (PR)

  • Note: As a consequence of updating AWS SDK dependencies to enable dual-stack support, this Boundary release may consume more memory. From our testing, the increase seems to be around 1.6x, however this may vary depending on your deployment architecture.

• The worker <-> controller communications have been refactored to improve performance and reliability at large scale. Workers older than v0.19.0 will remain supported until the release of v0.20.0, in accordance with our worker/controller compatiblity policy.

• Add concurrency limit on the password hashing of all password auth methods. (PR).

  This avoids bursty memory and CPU use during concurrent password auth method authentication attempts. The number of concurrent hashing operations can be set with the new concurrent_password_hash_workers configuration value in the controller stanza, or the new BOUNDARY_CONTROLLER_CONCURRENT_PASSWORD_HASH_WORKERS environment variable. The default limit is 1.

• ui: Improve worker filter workflow for targets, vault credential-stores, and storage-buckets. (PR).

Bug fixes

• Fix bug in applying BOUNDARY_MAX_RETRIES for boundary cli. Previously setting this environment variable would result in a max retries of 2, regardless of the value set. (PR).
• Fix bug in parsing IPv6 addresses. Previously setting a target address or the initial upstream address in the config file would result in a malformed value. (PR).
• Fix an issue where, when starting a session, the connection limit always displays 0. (PR).
• Fix bug which caused the children keyword not to apply the appropriate permissions for a number of resources. (PR).

0.18.1 (2024/11/21)

New and Improved

• Delete terminated sessions in batches to avoid long running jobs. (PR)

Bug fixes

• Fix an issue where users would lose access to managed groups if there are more than 10,000 managed groups in the auth method used. (PR)
• Fix an issue where only the first 10,000 members of a managed group are returned when getting the managed group, and a similar issue where only the first 10,000 managed groups an account is part of is included when getting the account. (PR)

0.18.0 (2024/10/01)

New and Improved

• Add support for dynamic host catalog plugins running in Boundary workers: Boundary plugins that handle dynamic host catalog operations (such as the AWS and Azure plugins) can now run on workers. (PR)

• Dynamic host catalogs worker filter support (Enterprise and HCP Boundary only): Operators can now set a worker filter when creating a dynamic host catalog. When set, all of the plugin requests will be sent to the matching worker for processing. (PR)

• AWS dynamic host catalogs AssumeRole authentication support: Operators can now set-up AWS dynamic host catalogs using Amazon's AssumeRole authentication paradigm by providing a valid Role ARN when creating the host catalog. (PR and PR)

• Improved MinIO storage plugin compatibility with other services by dropping the checksum headers in PutObject. (PR)

• ui: Add UI support for searching and pagination of aliases. (PR)

• ui: Add UI support for filtering and pagination of session recordings. (PR)

• ui: Improve multi-scope grants select/deselect process. (PR)

Bug Fixes

• Prevented a data-race in Boundary's event logging system. (PR)

• Update Storage Bucket type icon in Target view. (PR)

• Allow user to retry with authentication is pending with OIDC. (PR)

Deprecations/Changes

• Remove deprecated controllers field from the worker config, which was deprecated in 0.9.0 for initial_upstreams(PR)

0.17.2 (2024/09/25)

Changes

• The Go API properly uses the passed in value for WithRecursive and WithSkipCurlOutput instead of always setting to true regardless of the passed-in value. (PR)

0.17.0 (2024/07/17)

0.16.2 (2024/06/10)

New and Improved

• Updated Minio plugin to allow for potential use with other S3-compatible storage providers. (PR) and (PR)

Bug Fixes

• Fixed a bug where a worker credential rotation request suceeded on the controller but the response to the worker was lost. This resulted in the controller using a separate set of credentials than the worker, causing the worker to be unable to connect to the controller. The fix implements the new nodeenrollment library NodeIdLoader interface, which ensures that on store, if worker NodeInformation has a previous key set, the worker will check and correct its stored credential set to match. LodeNodeInformation was also updated to fix a bug where in this split credential scenario, the current credential key was assumed to be the incoming worker key, which caused the wrong key information to be populated for the key id. (PR)

0.16.0 (2024/04/15)

New and Improved

• Target aliases have been added: You can now create an alias for a target. In most situations where you would use a target id, you can now instead use the alias value. Crate an alias with boundary aliases create target -value example.boundary -destination-id ttcp_1234567890 and connect to a target using an alias using boundary connect example.boundary
• Worker local storage state: Self managed workers that are configured to be used for session recordings will report the state of the its disk space. To learn more about this new feature, refer to the documentation.
• MinIO storage plugin: You can now create a storage bucket that allows Boundary to interoperate with a MinIO cluster for Session Recording storage. This includes some added functionality such as credential rotation and credential management. To learn more about the plugin, refer to the readme. Note: Due to a library incompatibility, this release is not yet compatible with the netbsd operating system. Please refer to the following documentation to learn how to create a storage bucket.
• ui: Add UI support for filtering and pagination (PR)
• ui: Add UI support for MinIO (Enterprise and HCP Boundary only) (PR)

Added dependency

• postgres citext dependency added to enable aliases to be globally unique in a case insensitive way.