---
name: Consul
slug: consul
type: github
source_url: https://github.com/hashicorp/consul
changelog_url: https://github.com/hashicorp/consul/blob/HEAD/CHANGELOG.md
organization: HashiCorp
organization_slug: hashicorp
total_releases: 100
latest_version: v1.22.6
latest_date: 2026-03-26
last_updated: 2026-04-19
tracking_since: 2024-01-23
canonical: https://releases.sh/hashicorp/consul
organization_url: https://releases.sh/hashicorp
---
## 1.22.6 (March 23, 2026)
SECURITY:
* security: upgrade envoy version to 1.35.9 and 1.34.13 [[GH-23372](https://github.com/hashicorp/consul/pull/23372)]
* security: update google.golang.org/grpc to fix CVE-2026-33186 [[GH-23379](https://github.com/hashicorp/consul/pull/23379)]
* security: upgrade go version to 1.25.8 [[GH-23322](https://github.com/hashicorp/consul/pull/23322)]
* security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [[GH-23322](https://github.com/hashicorp/consul/pull/23322)]
IMPROVEMENTS:
* api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [[GH-23216](https://github.com/hashicorp/consul/pull/23216)]
* ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [[GH-23341](https://github.com/hashicorp/consul/pull/23341)]
* ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [[GH-23271](https://github.com/hashicorp/consul/pull/23271)]
* ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [[GH-23289](https://github.com/hashicorp/consul/pull/23289)]
## 1.22.5 (February 26, 2026)
SECURITY:
* security: upgrade go version to 1.25.7 [[GH-23204](https://github.com/hashicorp/consul/issues/23204)]
* dockerfile: the Consul build Go base image to `alpine3.23` [[GH-23194](https://github.com/hashicorp/consul/issues/23194)]
* connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [[GH-23109](https://github.com/hashicorp/consul/issues/23109)]
* security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [[GH-22739](https://github.com/hashicorp/consul/issues/22739)]
* security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [[GH-23249](https://github.com/hashicorp/consul/pull/23249)]
* security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [[GH-23196](https://github.com/hashicorp/consul/pull/23196)]
IMPROVEMENTS:
* api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [[GH-23212](https://github.com/hashicorp/consul/issues/23212)]
* agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [[GH-23202](https://github.com/hashicorp/consul/issues/23202)]
* cli: Added `--aws-iam-endpoint` flag to `consul login` command for AWS IAM auth method to support custom IAM endpoint configuration [[GH-23109](https://github.com/hashicorp/consul/issues/23109)]
* docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [[GH-23246](https://github.com/hashicorp/consul/pull/23246)]
* api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [[GH-23157](https://github.com/hashicorp/consul/issues/23157)]
⚠️ Important Notice
**We have identified an issue in Consul and Consul Enterprise Feb Patch Release (1.22.4, 1.22.4-ent, 1.21.10-ent, 1.18.20-ent) that requires a corrective patch release.**
**We recommend that customers avoid using these versions in production environments and wait for the upcoming patch release.**
**Customers who have upgraded to these versions should temporarily revert to the previous stable release while we prepare a corrected update.**
A new patched release is expected by the end of the this month.
**Further updates will be shared once the new version is available. We apologize for the inconvenience and appreciate your patience.**
## 1.22.4 (February 18, 2026)
SECURITY:
* security: upgrade go version to 1.25.7 [[GH-23204](https://github.com/hashicorp/consul/issues/23204)]
* dockerfile: the Consul build Go base image to `alpine3.23` [[GH-23194](https://github.com/hashicorp/consul/issues/23194)]
* connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [[GH-23109](https://github.com/hashicorp/consul/issues/23109)]
* security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [[GH-22739](https://github.com/hashicorp/consul/issues/22739)]
IMPROVEMENTS:
* api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [[GH-23212](https://github.com/hashicorp/consul/issues/23212)]
* agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [[GH-23202](https://github.com/hashicorp/consul/issues/23202)]
* cli: Added `--aws-iam-endpoint` flag to `consul login` command for AWS IAM auth method to support custom IAM endpoint configuration [[GH-23109](https://github.com/hashicorp/consul/issues/23109)]
* api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [[GH-23157](https://github.com/hashicorp/consul/pull/23157)]
## 1.22.3 (January 23, 2026)
SECURITY:
* Update the Consul Build Go base image to `alpine3.23.2` [[GH-23138](https://github.com/hashicorp/consul/issues/23138)]
IMPROVEMENTS:
* api: Add `consul services imported-services` and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [[GH-12045](https://github.com/hashicorp/consul/issues/12045)]
* connect: added ability to configure Virtual IP range for t-proxy with CIDRs [[GH-23085](https://github.com/hashicorp/consul/issues/23085)]
## 1.22.2 (December 15, 2025)
SECURITY:
* security: Upgrade golang to 1.25.4. [[GH-23029](https://github.com/hashicorp/consul/issues/23029)]
* security: upgrade internal packages of RHEL builds to include security fixes [[GH-23078](https://github.com/hashicorp/consul/issues/23078)]
IMPROVEMENTS:
* ui: upgraded Ember framework from v3.28 to v4.12, improving performance and stability. Upgrades multiple other packages which support Ember v4. [[GH-23070](https://github.com/hashicorp/consul/issues/23070)]
BUG FIXES:
* agent: fix bug prevents default TCP checks from being re-added on service reload when they were explicitly disabled or when custom checks were specified during initial registration. [[GH-23088](https://github.com/hashicorp/consul/issues/23088)]
* audit-logging: (Enterprise only) Fixed JSON unmarshall error when array of obj is passed for auditReq body. [[GH-11546](https://github.com/hashicorp/consul/issues/11546)]
* cli: Enhanced error messages in `consul config write` command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [[GH-22921](https://github.com/hashicorp/consul/issues/22921)]
* mesh: router + splitter + failover with retry now correctly failover for external services failover subsets through terminating gateways. [[GH-23092](https://github.com/hashicorp/consul/issues/23092)]
## v1.22.0 (Enterprise)
## 1.22.0+ent (October 24, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [[GH-22824](https://github.com/hashicorp/consul/issues/22824)]
* security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]
* security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]() [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]
* security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]
* security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]
FEATURES:
* Added support to register a service in consul with multiple ports [[GH-22769](https://github.com/hashicorp/consul/issues/22769)]
* agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [[GH-22741](https://github.com/hashicorp/consul/issues/22741)]
* install: Updated license information displayed during post-install
* ipv6: addtition of ip6tables changes for ipv6 and dual stack support [[GH-22787](https://github.com/hashicorp/consul/issues/22787)]
* oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [[GH-22732](https://github.com/hashicorp/consul/issues/22732)]
IMPROVEMENTS:
* security: Upgrade golang to 1.25.3. [[GH-22926](https://github.com/hashicorp/consul/issues/22926)]
* ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [[GH-22947](https://github.com/hashicorp/consul/issues/22947)]
* ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [[GH-22938](https://github.com/hashicorp/consul/issues/22938)]
* ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [[GH-22888](https://github.com/hashicorp/consul/issues/22888)]
* api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [[GH-22837](https://github.com/hashicorp/consul/issues/22837)]
* cmd: Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
http: Added a new API Handler for `/v1/operator/utilization`. Core functionality to be implemented in consul-enterprise
agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [[GH-22843](https://github.com/hashicorp/consul/issues/22843)]
* cli: `snapshot agent` now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [[GH-11171](https://github.com/hashicorp/consul/issues/11171)]
* command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [[GH-22763](https://github.com/hashicorp/consul/issues/22763)]
* connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [[GH-22773](https://github.com/hashicorp/consul/issues/22773)]
* proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [[GH-22772](https://github.com/hashicorp/consul/issues/22772)]
* ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [[GH-22770](https://github.com/hashicorp/consul/issues/22770)]
* ui: Replace yarn with pnpm for package management [[GH-22790](https://github.com/hashicorp/consul/issues/22790)]
* ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [[GH-22813](https://github.com/hashicorp/consul/issues/22813)]
BUG FIXES:
* ui: Allow FQDN to be displayed in the Consul web interface. [[GH-22779](https://github.com/hashicorp/consul/issues/22779)]
* ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [[GH-22789](https://github.com/hashicorp/consul/issues/22789)]
* ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [[GH-22752](https://github.com/hashicorp/consul/issues/22752)]
* cmd: Fix `consul operator utilization --help` to show only available options without extra parameters. [[GH-22912](https://github.com/hashicorp/consul/issues/22912)]
## v1.20.13 (Enterprise)
## 1.20.13+ent (November 17, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Upgrade golang to 1.25.4. [[GH-23029](https://github.com/hashicorp/consul/issues/23029)]
IMPROVEMENTS:
* ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [[GH-23004](https://github.com/hashicorp/consul/issues/23004)]
* ui: resolved multiple Ember deprecations:
- Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
- Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
- Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [[GH-23010](https://github.com/hashicorp/consul/issues/23010)]
BUG FIXES:
* acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [[GH-22954](https://github.com/hashicorp/consul/issues/22954)]
* xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [[GH-23049](https://github.com/hashicorp/consul/issues/23049)]
* xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [[GH-23035](https://github.com/hashicorp/consul/issues/23035)]
## v1.20.12 (Enterprise)
## 1.20.12 (October 30, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]
* security: Fixed proxied URL path validation to prevent path traversal. [[GH-22671](https://github.com/hashicorp/consul/issues/22671)]
* security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]() [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]
* security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]
* security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. This resolves [CVE-2025-11392](https://nvd.nist.gov/vuln/detail/CVE-2025-11392). [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]
FEATURES:
* install: Updated license information displayed during post-install
IMPROVEMENTS:
* api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [[GH-22837](https://github.com/hashicorp/consul/issues/22837)]
* cmd: Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
http: Added a new API Handler for `/v1/operator/utilization`. Core functionality to be implemented in consul-enterprise
agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [[GH-22843](https://github.com/hashicorp/consul/issues/22843)]
* security: Upgrade golang to 1.25.3. [[GH-22926](https://github.com/hashicorp/consul/issues/22926)]
* ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [[GH-22947](https://github.com/hashicorp/consul/issues/22947)]
* ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [[GH-22770](https://github.com/hashicorp/consul/issues/22770)]
* ui: Replace yarn with pnpm for package management [[GH-22790](https://github.com/hashicorp/consul/issues/22790)]
* ui: Replaced `reopen()` calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [[GH-22971](https://github.com/hashicorp/consul/issues/22971)]
* ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [[GH-22813](https://github.com/hashicorp/consul/issues/22813)]
* ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [[GH-22978](https://github.com/hashicorp/consul/issues/22978)]
* ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [[GH-22938](https://github.com/hashicorp/consul/issues/22938)]
* ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [[GH-22888](https://github.com/hashicorp/consul/issues/22888)]
BUG FIXES:
* cmd: Fix `consul operator utilization --help` to show only available options without extra parameters. [[GH-22912](https://github.com/hashicorp/consul/issues/22912)]
* ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [[GH-22789](https://github.com/hashicorp/consul/issues/22789)]
* ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [[GH-22752](https://github.com/hashicorp/consul/issues/22752)]
## v1.20.11 (Enterprise)
## 1.20.11+ent (September 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* Migrate transitive dependency from archived `mitchellh/mapstructure` to `go-viper/mapstructure` to v2 to address [CVE-2025-52893](https://www.cve.org/CVERecord?id=CVE-2025-52893). [[GH-22581](https://github.com/hashicorp/consul/issues/22581)]
* agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [[GH-22682](https://github.com/hashicorp/consul/issues/22682)]
* agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [[GH-22534](https://github.com/hashicorp/consul/issues/22534)]
* agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [[GH-22626](https://github.com/hashicorp/consul/issues/22626)]
* api: add charset in all applicable content-types. [[GH-22598](https://github.com/hashicorp/consul/issues/22598)]
* connect: Upgrade envoy version to 1.33.9 [[GH-11329](https://github.com/hashicorp/consul/issues/11329)]
* security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [[GH-22667](https://github.com/hashicorp/consul/issues/22667)]
* security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [[GH-22612](https://github.com/hashicorp/consul/issues/22612)]
* security: perform constant time compare for sensitive values. [[GH-22537](https://github.com/hashicorp/consul/issues/22537)]
* security: upgrade go version to 1.25.0 [[GH-22652](https://github.com/hashicorp/consul/issues/22652)]
* security:: **(Enterprise only)** fix nil pointer dereference.
* security:: **(Enterprise only)** fix potential race condition in partition CRUD.
* security:: **(Enterprise only)** perform constant time compare for sensitive values.
FEATURES:
* config: Add new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream [[GH-22604](https://github.com/hashicorp/consul/issues/22604)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [[GH-22679](https://github.com/hashicorp/consul/issues/22679)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [[GH-22722](https://github.com/hashicorp/consul/issues/22722)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [[GH-22680](https://github.com/hashicorp/consul/issues/22680)]
BUG FIXES:
* agent: Don't show admin partition during errors [[GH-11154](https://github.com/hashicorp/consul/issues/11154)]
## v1.20.10 (Enterprise)
## 1.20.10 Enterprise (August 13, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Update Go to 1.23.12 to address CVE-2025-47906 [[GH-22547](https://github.com/hashicorp/consul/issues/22547)]
IMPROVEMENTS:
* ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [[GH-22513](https://github.com/hashicorp/consul/issues/22513)]
BUG FIXES:
* cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [[GH-22552](https://github.com/hashicorp/consul/issues/22552)]
## v1.20.9 (Enterprise)
## 1.20.9 Enterprise (July 28, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* Update `github.com/containerd/containerd` to 1.7.3 [[GH-10888](https://github.com/hashicorp/consul-enterprise/issues/10888)]
* Bump Dockerfile base image to `alpine:3.22`. [[GH-10872](https://github.com/hashicorp/consul-enterprise/issues/10872)]
* build(deps): bump golang.org/x/sync from 0.12.0 to 0.15.0 [[GH-10787](https://github.com/hashicorp/consul-enterprise/issues/10787)]
## v1.20.8 (Enterprise)
## 1.20.8 Enterprise (June 18, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Upgrade UBI base image version to address CVE
[CVE-2025-4802](https://access.redhat.com/security/cve/cve-2025-4802)
[CVE-2024-40896](https://access.redhat.com/security/cve/cve-2024-40896)
[CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
[CVE-2025-24528](https://access.redhat.com/security/cve/cve-2025-24528)
[CVE-2025-3277](https://access.redhat.com/security/cve/cve-2025-3277)
[CVE-2024-12133](https://access.redhat.com/security/cve/cve-2024-12133)
[CVE-2024-57970](https://access.redhat.com/security/cve/cve-2024-57970)
[CVE-2025-31115](https://access.redhat.com/security/cve/cve-2025-31115) [[GH-22409](https://github.com/hashicorp/consul/issues/22409)]
* cli: update tls ca and cert create to reduce excessive file perms for generated public files [[GH-22286](https://github.com/hashicorp/consul/issues/22286)]
* connect: Added non default namespace and partition checks to ConnectCA CSR requests. [[GH-22376](https://github.com/hashicorp/consul/issues/22376)]
* security: Upgrade Go to 1.23.10. [[GH-22412](https://github.com/hashicorp/consul/issues/22412)]
IMPROVEMENTS:
* config: Warn about invalid characters in `datacenter` resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [[GH-22382](https://github.com/hashicorp/consul/issues/22382)]
BUG FIXES:
* http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [[GH-22381](https://github.com/hashicorp/consul/issues/22381)]
* license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [[GH-10668](https://github.com/hashicorp/consul/issues/10668)]
## v1.20.0 (Enterprise)
## 1.20.0 (October 14, 2024)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
* Upgrade Go to use 1.22.7. This addresses CVE
[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
FEATURES:
* grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [[GH-21806](https://github.com/hashicorp/consul/issues/21806)]
* server: remove v2 tenancy, catalog, and mesh experiments [[GH-21592](https://github.com/hashicorp/consul/issues/21592)]
IMPROVEMENTS:
* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
* connect: Add Envoy 1.31 and 1.30 to support matrix [[GH-21616](https://github.com/hashicorp/consul/issues/21616)]
BUG FIXES:
* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
## v1.19.13 (Enterprise)
## 1.19.13+ent (September 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* Migrate transitive dependency from archived `mitchellh/mapstructure` to `go-viper/mapstructure` to v2 to address [CVE-2025-52893](https://www.cve.org/CVERecord?id=CVE-2025-52893). [[GH-22581](https://github.com/hashicorp/consul/issues/22581)]
* agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [[GH-22682](https://github.com/hashicorp/consul/issues/22682)]
* agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [[GH-22534](https://github.com/hashicorp/consul/issues/22534)]
* agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [[GH-22626](https://github.com/hashicorp/consul/issues/22626)]
* api: add charset in all applicable content-types. [[GH-22598](https://github.com/hashicorp/consul/issues/22598)]
* connect: Upgrade envoy version to 1.32.12 [[GH-11331](https://github.com/hashicorp/consul/issues/11331)]
* security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [[GH-22667](https://github.com/hashicorp/consul/issues/22667)]
* security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [[GH-22612](https://github.com/hashicorp/consul/issues/22612)]
* security: perform constant time compare for sensitive values. [[GH-22537](https://github.com/hashicorp/consul/issues/22537)]
* security: upgrade go version to 1.25.0 [[GH-22652](https://github.com/hashicorp/consul/issues/22652)]
* security:: **(Enterprise only)** fix nil pointer dereference.
* security:: **(Enterprise only)** fix potential race condition in partition CRUD.
* security:: **(Enterprise only)** perform constant time compare for sensitive values.
FEATURES:
* config: Add new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream [[GH-22604](https://github.com/hashicorp/consul/issues/22604)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [[GH-22679](https://github.com/hashicorp/consul/issues/22679)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [[GH-22722](https://github.com/hashicorp/consul/issues/22722)]
* config: Handle a new parameter `max_request_headers_kb` to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [[GH-22680](https://github.com/hashicorp/consul/issues/22680)]
BUG FIXES:
* agent: Don't show admin partition during errors [[GH-11154](https://github.com/hashicorp/consul/issues/11154)]
## v1.19.12 (Enterprise)
## 1.19.12 Enterprise (August 13, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Update Go to 1.23.12 to address CVE-2025-47906 [[GH-22547](https://github.com/hashicorp/consul/issues/22547)]
IMPROVEMENTS:
* ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [[GH-22513](https://github.com/hashicorp/consul/issues/22513)]
BUG FIXES:
* cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [[GH-22552](https://github.com/hashicorp/consul/issues/22552)]
## v1.19.11 (Enterprise)
## 1.19.11 Enterprise (July 28, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* Bump Dockerfile base image to `alpine:3.22`. [[GH-10871](https://github.com/hashicorp/consul-enterprise/issues/10871)]
* build(deps): bump golang.org/x/sync from 0.12.0 to 0.15.0 [[GH-22413](https://github.com/hashicorp/consul-enterprise/issues/22413)]
## v1.19.10 (Enterprise)
## 1.19.10 Enterprise (June 18, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
SECURITY:
* security: Upgrade UBI base image version to address CVE
[CVE-2025-4802](https://access.redhat.com/security/cve/cve-2025-4802)
[CVE-2024-40896](https://access.redhat.com/security/cve/cve-2024-40896)
[CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
[CVE-2025-24528](https://access.redhat.com/security/cve/cve-2025-24528)
[CVE-2025-3277](https://access.redhat.com/security/cve/cve-2025-3277)
[CVE-2024-12133](https://access.redhat.com/security/cve/cve-2024-12133)
[CVE-2024-57970](https://access.redhat.com/security/cve/cve-2024-57970)
[CVE-2025-31115](https://access.redhat.com/security/cve/cve-2025-31115) [[GH-22409](https://github.com/hashicorp/consul/issues/22409)]
* cli: update tls ca and cert create to reduce excessive file perms for generated public files [[GH-22286](https://github.com/hashicorp/consul/issues/22286)]
* connect: Added non default namespace and partition checks to ConnectCA CSR requests. [[GH-22376](https://github.com/hashicorp/consul/issues/22376)]
* security: Upgrade Go to 1.23.10. [[GH-22412](https://github.com/hashicorp/consul/issues/22412)]
IMPROVEMENTS:
* config: Warn about invalid characters in `datacenter` resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [[GH-22382](https://github.com/hashicorp/consul/issues/22382)]
* http: Add peer query param on catalog service API [[GH-22189](https://github.com/hashicorp/consul/issues/22189)]
BUG FIXES:
* http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [[GH-22381](https://github.com/hashicorp/consul/issues/22381)]
* license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [[GH-10668](https://github.com/hashicorp/consul/issues/10668)]
## v1.19.0 (Enterprise)
## 1.19.0 (June 12, 2024)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
BREAKING CHANGES:
* telemetry: State store usage metrics with a double `consul` element in the metric name have been removed. Please use the same metric without the second `consul` instead. As an example instead of `consul.consul.state.config_entries` use `consul.state.config_entries` [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]
SECURITY:
* Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE
[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`). [[GH-21017](https://github.com/hashicorp/consul/issues/21017)]
* Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559). [[GH-21017](https://github.com/hashicorp/consul/issues/21017)]
FEATURES:
* dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.
Use `v1dns` in the `experiments` agent config to disable.
The legacy server will be removed in a future release of Consul.
See the [Consul 1.19.x Release Notes](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_19_x) for removed DNS features. [[GH-20715](https://github.com/hashicorp/consul/issues/20715)]
* gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [[GH-20873](https://github.com/hashicorp/consul/issues/20873)]
IMPROVEMENTS:
* dns: new version was not supporting partition or namespace being set to 'default' in CE version. [[GH-21230](https://github.com/hashicorp/consul/issues/21230)]
* mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [[GH-21142](https://github.com/hashicorp/consul/issues/21142)]
* upgrade go version to v1.22.4. [[GH-21265](https://github.com/hashicorp/consul/issues/21265)]
* Upgrade `github.com/envoyproxy/go-control-plane` to 0.12.0. [[GH-20973](https://github.com/hashicorp/consul/issues/20973)]
* dns: DNS-over-grpc when using `consul-dataplane` now accepts partition, namespace, token as metadata to default those query parameters.
`consul-dataplane` v1.5+ will send this information automatically. [[GH-20899](https://github.com/hashicorp/consul/issues/20899)]
* snapshot: Add `consul snapshot decode` CLI command to output a JSON object stream of all the snapshots data. [[GH-20824](https://github.com/hashicorp/consul/issues/20824)]
* telemetry: Add `telemetry.disable_per_tenancy_usage_metrics` in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.
* telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [[GH-20674](https://github.com/hashicorp/consul/issues/20674)]
DEPRECATIONS:
* snapshot agent: **(Enterprise only)** Top level single snapshot destinations `local_storage`, `aws_storage`, `azure_blob_storage`, and `google_storage` in snapshot agent configuration files are now deprecated. Use the `backup_destinations` config object instead.
BUG FIXES:
* docs: Consul DNS Forwarding configuration for OpenShift update for [Resolve Consul DNS Requests in Kubernetes](https://developer.hashicorp.com/consul/docs/k8s/dns) [[GH-20439](https://github.com/hashicorp/consul/issues/20439)]
* hcp: fix error logs when failing to push metrics [[GH-20514](https://github.com/hashicorp/consul/issues/20514)]
* streaming: Handle ACL errors consistently when blocking query timeout is reached. [[GH-20876](https://github.com/hashicorp/consul/issues/20876)]
## v1.18.17 (Enterprise)
## 1.18.17+ent (November 17, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
* Update `registry.access.redhat.com/ubi9-minimal` image to 9.6 to address CVEs [[GH-11815](https://github.com/hashicorp/consul/issues/11815)]
* security: Upgrade golang to 1.25.4. [[GH-23029](https://github.com/hashicorp/consul/issues/23029)]
IMPROVEMENTS:
* ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [[GH-23004](https://github.com/hashicorp/consul/issues/23004)]
* ui: resolved multiple Ember deprecations:
- Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
- Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
- Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [[GH-23010](https://github.com/hashicorp/consul/issues/23010)]
BUG FIXES:
* acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [[GH-22954](https://github.com/hashicorp/consul/issues/22954)]
* xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [[GH-23049](https://github.com/hashicorp/consul/issues/23049)]
* xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [[GH-23035](https://github.com/hashicorp/consul/issues/23035)]
## v1.18.16 (Enterprise)
## 1.18.16+ent (October 30, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
SECURITY:
* security: Adding warning when remote/local script checks are enabled without enabling ACL's [[GH-22877](https://github.com/hashicorp/consul/issues/22877)]
* security: Fixed proxied URL path validation to prevent path traversal. [[GH-22671](https://github.com/hashicorp/consul/issues/22671)]
* security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]() [[GH-22916](https://github.com/hashicorp/consul/issues/22916)]
* security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375). [[GH-22836](https://github.com/hashicorp/consul/issues/22836)]
* security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. This resolves [CVE-2025-11392](https://nvd.nist.gov/vuln/detail/CVE-2025-11392). [[GH-22850](https://github.com/hashicorp/consul/issues/22850)]
FEATURES:
* install: Updated license information displayed during post-install
IMPROVEMENTS:
* api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [[GH-22837](https://github.com/hashicorp/consul/issues/22837)]
* security: Upgrade golang to 1.25.3. [[GH-22926](https://github.com/hashicorp/consul/issues/22926)]
* ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [[GH-22947](https://github.com/hashicorp/consul/issues/22947)]
* ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [[GH-22770](https://github.com/hashicorp/consul/issues/22770)]
* ui: Replace yarn with pnpm for package management [[GH-22790](https://github.com/hashicorp/consul/issues/22790)]
* ui: Replaced `reopen()` calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [[GH-22971](https://github.com/hashicorp/consul/issues/22971)]
* ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [[GH-22813](https://github.com/hashicorp/consul/issues/22813)]
* ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [[GH-22978](https://github.com/hashicorp/consul/issues/22978)]
* ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [[GH-22938](https://github.com/hashicorp/consul/issues/22938)]
* ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [[GH-22888](https://github.com/hashicorp/consul/issues/22888)]
BUG FIXES:
* ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [[GH-22789](https://github.com/hashicorp/consul/issues/22789)]
* ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [[GH-22752](https://github.com/hashicorp/consul/issues/22752)]