HashiCorp

BREAKING CHANGES:

• containers: Remove cap_ipc_lock capability on vault at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call mlock() to lock memory. Operators should set disable_mlock = true in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
• secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829

CHANGES:

• core: Bump Go version to 1.26.4
• secrets/azure (enterprise): Update plugin to v0.26.4+ent

BUG FIXES:

• plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
• ui/transit: Fix key version dropdown selected state when editing a transit key.

1.15.5 (May 27, 2026)

ENHANCEMENTS:

• Support for module version evaluating to null (in the context of dynamic module sources) (#38632)

BUG FIXES:

• Fix crash on init for modules with empty source (#38628)

2.0.0 (May 22, 2026)

SECURITY:

• connect: Upgrade envoy version to 1.37.2 and newer versions [GH-23469]
• go: Upgrade go version to 1.26 [GH-23493]
• agent: Increased default HTTP server timeouts to prevent breaking long-polling blocking queries. read_timeout and write_timeout are now set to 15 minutes (up from 30 seconds), while read_header_timeout (10s) and idle_timeout (120s) still provide protection against Slowloris attacks. All timeouts remain configurable via the http_config block. [GH-23267]
• api-gateway, terminating-gateway: Apply HTTP request path normalization on api-gateway and terminating-gateway HTTP listeners to prevent L7 intention RBAC bypass via non-normalized paths (CVE-2024-10005). [GH-23534]
• docker: update ubi base image to ubi9-minimal:9.7. [GH-23553]
• docker: Upgrade curl to >= 8.20.0 from Alpine edge in the container image to address CVE-2026-6429, CVE-2026-4873, CVE-2026-5773, CVE-2026-6253, CVE-2026-6276, CVE-2026-7168, CVE-2026-5545. Alpine 3.23 stable does not yet carry the patched version. [GH-23750]
• docker: Update to UBI base image to 9.8 for fixing [CVE_2026-2100] [GH-23588]

FEATURES:

• (Enterprise Only) update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
• Global Rate Limiter: (Enterprise Only) a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. This allows operators to apply or adjust global rate limits at runtime without restarting Consul servers — a critical capability for emergency scenarios where the cluster is under excessive load.
• api-gateway: Added SDS certificate support for API Gateway listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides. Service overrides inherit the listener SDS cluster when omitted, and gateway validation/xDS generation now rejects conflicting override mappings to keep certificate selection deterministic. [GH-23354]
• api-gateway: add support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests. [GH-23396]
• api: Added new API "/v1/internal/rpc/methods" that lists all RPC method names. Requires an operator:read ACL token. This is useful when users want to configure rate limits that exclude specific RPC endpoints. [GH-23329]
• ca: (Enterprise Only) Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer"), enabling Consul to issue certificates through Cyberark WIM.
• server: (Enterprise Only) add stable cluster identity and leader-gated global registry sync for service summary publishing.
• telemetry: (Enterprise Only) Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.

IMPROVEMENTS:

• agent: (Enterprise Only) Add eventually-consistent background cache for Enterprise usage metrics, reducing GET /v1/operator/usage latency from O(PNK) to O(1) and lowering CPU/memory pressure during high-frequency scraping via a watch-driven maintainer goroutine.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.
• terminating-gateway: Updated the cluster upstream tls to use sds instead of static certs, allowing for dynamic certificate updates without needing to restart the terminating gateway. [GH-23288]
• telemetry: Add certificate expiry monitoring with Prometheus metrics (labeled with datacenter/partition/namespace), structured logging with configurable severity thresholds, and enhanced Connect CA API to include NotAfter field for root and intermediate certificates. [GH-23147]
• deps: Upgrade github.com/hashicorp/vault/sdk from v0.7.0 to v0.25.1 and github.com/hashicorp/vault/api from v1.12.2 to v1.16.0. [GH-23574]
• test-integ: upgrade testcontainers-go (v0.22.0->v0.40.0) and docker/docker (v24.0.5->v28.5.1) in the integration test module. This removes opencontainers/runc as a Go dependency of the test framework. These are test infrastructure dependencies only and have no impact on the consul binary or any consul deployment. [GH-23573]
• xds: (Enterprise Only) add Consecutive5xx, ConsecutiveGatewayFailure, and EnforcingConsecutiveGatewayFailure fields to PassiveHealthCheck, allowing operators to configure Envoy outlier detection thresholds for 5xx responses and gateway failures (502/503/504) on upstreams defaults.

BUG FIXES:

• audit-logging: (Enterprise Only) Fixed JSON unmarshall error when array of obj is passed for auditReq body.
• cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
• xds: Fixed XDS package to generate correct endpoints and cluster configurations for API Gateways when peered, and updated the API Gateway update handler to propogate mesh gateway config to its upstreams. [GH-23454]
• XDS: Fixes issue with mesh-gateway in remote mode on AWS EKS, as DNS hostnames are assigned to AWS NLBs instead of IPs and envoy's EDS endpoint validation expects address to be an IP. Now EDS load assignment is skipped for non-peer remote mesh gateway targets with hostname based gateways keeping CDS/EDS in sync. [GH-23543]
• api-gateway: resolve service subsets for routes during API gateway discovery chain synthesis. [GH-23294]
• ui: Fix broken documentation links [GH-23578]

1.15.4 (May 20, 2026)

NEW FEATURES:

• We now produce builds for Linux s390x (zLinux) (#38615)

BUG FIXES:

• init: Prevent provider binaries from being installed into symlinked directories (#38611)

1.15.3 (May 13, 2026)

BUG FIXES:

• stacks: Fixed a bug that prevented migrating resources under multiple layers of module nesting with implicit provider configuration. (#38528)

• cloud backend will now forward -generate-config-out flag usage to query create request (#38539)

• Fix crash during provider installation when there is no config (#38560)

1.15.2 (May 6, 2026)

ENHANCEMENTS:

• stacks: add ouput values to plan component instance change description (#38360)

BUG FIXES:

• Avoid printing warnings from 'terraform output -json' (#38530)

1.15.1 (May 1, 2026)

BUG FIXES:

• Fixed crash when configuration has an invalid action_trigger nested block in data or ephemeral lifecycle blocks (#38402)

• validate: Removed validation of attributes inside backend blocks due to incompatibility with workflows using the -backend-config flag. (#38466)

• Fix non-const variable checks on init (#38470)

• Avoid warnings in 'terraform output -raw' (#38487)

• Ignore undeclared variable values from the cloud backend (#38490)

• Fix panic for types modules with no expanded instances (#38491)

• Fixed "unknown provider function" errors occurring during init (#38472)

• init: Fixed a bug that impacted use of provider pre-releases during init (#38496)

1.15.0 (April 29, 2026)

NEW FEATURES:

• We now produce builds for Windows ARM64 (#32719)

• You can set a deprecated attribute on variable and output blocks to indicate that they are deprecated. This will produce warnings when passing in a value for a deprecated variable or when referencing a deprecated output. (#38001)

• backend/s3: Support authentication via aws login (#37976)

• validate: The validate command now checks the backend block. This ensures the backend type exists, that all required attributes are present, and that the backend's own validation logic passes. (#38021)

• convert function, which allows for precise inline type conversions (#38160)

• Terraform now supports variables and locals in module source and version attributes (#38217)

ENHANCEMENTS:

• config: output blocks now can have an explicit type constraints (#36411)

• ssh-based provisioner (file + remote-exec): Re-enable support for PowerShell (#37794)

• terraform init log timestamps include millisecond precision (#37818)

• init: skip dependencies declared in development override. This allows you to use terraform init with developer overrides and install dependencies that are not declared in the override file. (#37884)

• Terraform Test: Allow functions within mock blocks (#34672)

• improve detection of deprecated resource attributes / blocks (#38077)

• Deprecation messages providers set on resources / blocks / attributes are now part of the deprecation warning (#38135)

• Include which attribute paths are marked as sensitive in list_start JSON logs (#38197)

• Add input variable validation for Stacks (#38240)

• When comparing a container value to null, only top level marks are now considered for the result. (#38270)

• As part of supporting variables in module sources, most commands now accept variable values (#38276)

BUG FIXES:

• testing: File-level error diagnostics are now included in JUnit XML skipped test elements, ensuring CI/CD pipelines can detect validation failures (#37801)

• A refresh-only plan could result in a non-zero exit code with no changes (#37406)

• cli: Fixed crash in terraform show -json when plan contains ephemeral resources with preconditions or postconditions (#37834)

• cli: Fixed terraform init -json to properly format all backend configuration messages as JSON instead of plain text (#37911)

• state show: The state show command will now explicitly fail and return code 1 when it fails to render the named resources state (#37933)

• apply: Terraform will raise an explicit error if a plan file intended for one workspace is applied against another workspace (#37954)

• lifecycle: replace_triggered_by now reports an error when given an invalid attribute reference that does not exist in the target resource (#36740)

• backend: Fix nil pointer dereference crash during terraform init when the destination backend returns an error (#38027)

• stacks: send progress events if the plan fails for better UI integration (#38039)

• stacks: component instances should report no-op plan/apply. This solves a UI inconsistency with convergence destroy plans (#38049)

• backend/http: Return conflicting lock info from HTTP backend instead of the lock that failed to be taken (#38144)

• states: fixed a bug that caused Terraform to be unable to identify when two states had different output values. This may have caused issues in specific circumstances like backend migrations. (#38181)

• cloud: terraform cloud and registry discovery network requests are now more resilient, making temporary network or service related errors less common (#38064)

• Enable formatting of .tfquery.hcl files by terraform fmt (#38398)

• Fix validate not returning JSON for some early diagnostics (#38400)

• Fix Terraform Stacks plugin installation error (#38406)

NOTES:

• command/init: Provider installation was refactored to enable future enhancements in the area. This results in different order of operations during init and 2 new log messages replacing one (initializing_provider_plugin_message). The change should not have any end-user impact aside from the init command output. (#38227)

UPGRADE NOTES:

• backend/s3: The AWS_USE_FIPS_ENDPOINT and AWS_USE_DUALSTACK_ENDPOINT environment variables now only respect true or false values, aligning with the AWS SDK for Go. This replaces the previous behavior which treated any non-empty value as true. (#37601)

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.14
• v1.13
• v1.12
• v1.11
• v1.10
• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

1.22.7 (April 21, 2026)

SECURITY:

• security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
• security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
• test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
• ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]

IMPROVEMENTS:

• acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
• discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
• ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

• api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

FEATURES:

• config: add nonproduction config option for server, license, and reporting config [GH-27646]
• core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

• build: upgrade Go to 1.26.2 [GH-27831]
• ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

• build: Upgrade to Go 1.26 [GH-27685]
• metrics: adds a metric for total agent http connections [GH-26756]
• secrets: increase secrets plugin execution timeout to 60s [GH-27779]
• variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

• agent: Fixed a potential panic in agents using systemd notification [GH-27746]
• agent: fix api.Job.Version used in job PUT actions [GH-27768]
• drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
• identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
• oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]