Consul Changelog File — HashiCorp

1.22.7 (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912).

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.22.7 Enterprise (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8
connect: Upgrade envoy version to 1.35.10 and 1.34.14 [GH-12602]
security(ui): backport Rollup fix to 2.80.0 in release/1.22.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.21.13 Enterprise (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
security: upgrade go version to 1.25.9
ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.22.6 (March 23, 2026)

SECURITY:

security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.22.6 Enterprise (March 23, 2026)

SECURITY:

security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.21.12 Enterprise (March 23, 2026)

SECURITY:

security: upgrade go version to 1.25.8 [GH-23300]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.18.22 Enterprise (March 23, 2026)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.22.5 (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: update the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.22.5 Enterprise (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.21.11 Enterprise (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.18.21 Enterprise (February 26, 2026)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.22.4

WITHDRAWN - This release has been retracted from public distribution due to critical issues. Please use 1.22.5 or remain on 1.22.3.

1.22.3 (January 23, 2026)

SECURITY:

Update the Consul Build Go base image to alpine3.23.2 [GH-23138]

IMPROVEMENTS:

api: Add consul services imported-services and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [GH-12045]
connect: added ability to configure Virtual IP range for t-proxy with CIDRs [GH-23085]

1.22.1 (November 27, 2025)

SECURITY:

connect: Upgrade envoy version to 1.35.6 [GH-23056]
security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.22.1 Enterprise (November 27, 2025)

SECURITY:

connect: Upgrade envoy version to 1.35.6 [GH-23056]
security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.21.7 Enterprise (November 27, 2025)

SECURITY:

security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.20.13 Enterprise (November 27, 2025)

SECURITY:

security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.18.17 Enterprise (November 27, 2025)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

Update registry.access.redhat.com/ubi9-minimal image to 9.6 to address CVEs [GH-11815]
security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.22.0 Enterprise (October 24, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

security: Upgrade golang to 1.25.3. [GH-22926]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

1.22.0 (October 24, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

security: Upgrade golang to 1.25.3. [GH-22926]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

1.22.0-rc2+ent (October 15, 2025)

SECURITY:

security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

BUG FIXES:

cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

1.22.7 (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912).

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.22.7 Enterprise (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8
connect: Upgrade envoy version to 1.35.10 and 1.34.14 [GH-12602]
security(ui): backport Rollup fix to 2.80.0 in release/1.22.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.21.13 Enterprise (April 21, 2026)

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
security: upgrade go version to 1.25.9
ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]

IMPROVEMENTS:

acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

1.22.6 (March 23, 2026)

SECURITY:

security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.22.6 Enterprise (March 23, 2026)

SECURITY:

security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.21.12 Enterprise (March 23, 2026)

SECURITY:

security: upgrade go version to 1.25.8 [GH-23300]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.18.22 Enterprise (March 23, 2026)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
security: upgrade go version to 1.25.8 [GH-23322]
security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

1.22.5 (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: update the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.22.5 Enterprise (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.21.11 Enterprise (February 26, 2026)

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.18.21 Enterprise (February 26, 2026)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

security: upgrade go version to 1.25.7 [GH-23204]
dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

1.22.4

WITHDRAWN - This release has been retracted from public distribution due to critical issues. Please use 1.22.5 or remain on 1.22.3.

1.22.3 (January 23, 2026)

SECURITY:

Update the Consul Build Go base image to alpine3.23.2 [GH-23138]

IMPROVEMENTS:

api: Add consul services imported-services and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [GH-12045]
connect: added ability to configure Virtual IP range for t-proxy with CIDRs [GH-23085]

1.22.1 (November 27, 2025)

SECURITY:

connect: Upgrade envoy version to 1.35.6 [GH-23056]
security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.22.1 Enterprise (November 27, 2025)

SECURITY:

connect: Upgrade envoy version to 1.35.6 [GH-23056]
security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.21.7 Enterprise (November 27, 2025)

SECURITY:

security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.20.13 Enterprise (November 27, 2025)

SECURITY:

security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.18.17 Enterprise (November 27, 2025)

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

Update registry.access.redhat.com/ubi9-minimal image to 9.6 to address CVEs [GH-11815]
security: Upgrade golang to 1.25.4. [GH-23029]

IMPROVEMENTS:

ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
ui: resolved multiple Ember deprecations:

Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

1.22.0 Enterprise (October 24, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

security: Upgrade golang to 1.25.3. [GH-22926]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

1.22.0 (October 24, 2025)

SECURITY:

connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

Added support to register a service in consul with multiple ports [GH-22769]
agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
install: Updated license information displayed during post-install
ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

security: Upgrade golang to 1.25.3. [GH-22926]
ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]

BUG FIXES:

ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

1.22.0-rc2+ent (October 15, 2025)

SECURITY:

security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

BUG FIXES:

cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]