HashiCorp

Fixed submodule variable validation during init and added concurrency safety to configs.Parser and SourceBundleParser.

Fixed a bug where renaming or rejoining a server could evict the live leader from the internal server lookup, causing Raft leader errors on follower RPCs. Inbound HTTP requests now have the x-forwarded-client-cert header stripped before forwarding to local services. Also includes Go and Envoy security upgrades, OIDC/JWT claim mapping support for auth method token names, and product telemetry export cadence preservation across restarts.

LIST requests with a trailing slash now correctly respect more-specific deny policies, fixing an ACL bypass where a request to LIST kv/private/ could skip a deny on kv/*. Also introduces beta support for AI agents in Enterprise, including an agent registry and OAuth resource server capabilities. Plus a constant-time recovery token comparison and several security fixes across RADIUS, SPIFFE, and transform.

Vault 2.0 has started rolling out to HCP Vault Dedicated clusters on AWS and Azure. Refer to [HCP Vault Dedicated changelog](https://developer.hashico...

Fixed an issue where resources being removed from state via removed block were incorrectly listed under planned_values in JSON plan representations, and a panic in console when evaluating expressions with deprecated values. Also fixed exit codes for plan, query, and refresh commands on variable errors, and two module installation edge cases with null and sensitive/ephemeral module sources.

Vault containers no longer have the cap_ipc_lock capability, preventing calls to mlock() for memory locking—operators should set disable_mlock = true in configuration and disable swapping at runtime. SSH RSA key sizes are now limited to a maximum of 8192 bits (CVE-2026-39829). Also fixed plugin signature verification failures with expired PGP keys and a transit key version dropdown state issue.

Fixed a crash during terraform init when modules have an empty source. Also added support for module version evaluating to null in dynamic module sources.

Applied HTTP request path normalization on API Gateway and Terminating Gateway listeners to prevent L7 intention RBAC bypass via non-normalized paths (CVE-2024-10005). Enterprise deployments gain a new "rate-limit" config entry that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. Also upgraded Envoy to 1.37.2, Go to 1.26, and patched multiple curl CVEs in the Docker container image.

Terraform now produces builds for Linux s390x (zLinux). Fixed provider binary installation into symlinked directories during init.

Fixed a crash during provider installation when there is no config, and a bug that prevented migrating resources under multiple layers of module nesting with implicit provider configuration. Cloud backend now forwards the -generate-config-out flag to query create requests.