LIST requests with a trailing slash now correctly respect more-specific deny policies, fixing an ACL bypass where a request to LIST kv/private/ could skip a deny on kv/*. Also introduces beta support for AI agents in Enterprise, including an agent registry and OAuth resource server capabilities. Plus a constant-time recovery token comparison and several security fixes across RADIUS, SPIFFE, and transform.
Vault
Vault containers no longer have the cap_ipc_lock capability, preventing calls to mlock() for memory locking—operators should set disable_mlock = true in configuration and disable swapping at runtime. SSH RSA key sizes are now limited to a maximum of 8192 bits (CVE-2026-39829). Also fixed plugin signature verification failures with expired PGP keys and a transit key version dropdown state issue.
SECURITY:
- Upgrade
cloudflare/circlto v1.6.3 to resolve CVE-2026-1229 - Upgrade
filippo.io/edwards25519to v1.1.1 to resolve GO-2026-4503 - vault/sdk: Upgrade
cloudflare/circlto v1.6.3 to resolve CVE-2026-1229 - vault/sdk: Upgrade
go.opentelemetry.io/otel/sdkto…
February 05, 2026
SECURITY:
auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
CHANGES:
core: Bump Go version to 1.25.6
FEATURES:
UI: Hashi-Built External Plugin Support: Recognize and support…
1.21.2
January 07, 2026
CHANGES:
- auth/oci: bump plugin to v0.20.1
- core: Bump Go version to 1.25.5
- packaging: Container images are now exported using a compressed OCI image layout.
- packaging: UBI container images are now built on the UBI 10 minimal…
1.21.1
November 20, 2025
SECURITY:
- auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
- ui: disable scarf analytics for ui builds
CHANGES:
- auth/kubernetes: Update plugin to…
August 06, 2025
SECURITY:
- auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled…
1.20.0
June 25, 2025
SECURITY:
- core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]
CHANGES:
- UI: remove outdated and unneeded js string…
1.20.0-rc1
June 11, 2025
SECURITY:
- core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]
CHANGES:
- UI: remove outdated and unneeded js string…
1.19.5
May 30, 2025
Enterprise LTS: Vault Enterprise 1.19 is a Long-Term Support (LTS) release.
CHANGES:
- database/snowflake: Update plugin to v0.13.1…


