Upgraded Alpine base image to 3.24 to address CVE-2026-41989 and ALPINE-CVE-2026-2100, and upgraded Serf and Memberlist to their latest versions. XDS now returns errors when injecting L4 intention (RBAC) filter or mTLS transport socket onto inbound public listeners without enforcement, preventing listeners from being served without intention enforcement or mTLS. Also added ExtAuthzFilter support to HTTPRoute Filters and gateway-wide ExtAuthz toggle for api-gateway (Enterprise only), and External Processor (ext_proc) Envoy Extension support for api-gateway and connect-proxy (Enterprise only).
Consul
Fixed a bug where renaming or rejoining a server could evict the live leader from the internal server lookup, causing Raft leader errors on follower RPCs. Inbound HTTP requests now have the x-forwarded-client-cert header stripped before forwarding to local services. Also includes Go and Envoy security upgrades, OIDC/JWT claim mapping support for auth method token names, and product telemetry export cadence preservation across restarts.
Applied HTTP request path normalization on API Gateway and Terminating Gateway listeners to prevent L7 intention RBAC bypass via non-normalized paths (CVE-2024-10005). Enterprise deployments gain a new "rate-limit" config entry that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. Also upgraded Envoy to 1.37.2, Go to 1.26, and patched multiple curl CVEs in the Docker container image.
Fixed CVE-2024-10005, an L7 intention RBAC bypass via non-normalized HTTP request paths on api-gateway and terminating-gateway listeners. Also fixed transaction endpoint authorization bypasses where service and check mutations could be authorized using request-provided names while applying changes by ID, including a bypass using the reserved consul service name. Increased default HTTP timeouts to 15 minutes to support long-polling blocking queries while maintaining Slowloris protection.
2.0.0-rc1 (April 29, 2026)
1.22.7 (April 21, 2026)
1.22.6 (March 23, 2026)
1.22.5 (February 26, 2026)
⚠️ Important Notice
We have identified an issue in Consul and Consul Enterprise Feb Patch Release (1.22.4, 1.22.4-ent, 1.21.10-ent, 1.18.20-ent) that requires a corrective patch release.
**We recommend that customers avoid using these versions in production…
1.22.3 (January 23, 2026)
SECURITY:
- Update the Consul Build Go base image to
alpine3.23.2[GH-23138]
IMPROVEMENTS:
- api: Add
consul services imported-servicesand new api(/v1/exported-services) command to…
1.22.2 (December 15, 2025)
1.22.0+ent (October 24, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or…
1.20.13+ent (November 17, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
1.20.12 (October 30, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
1.20.11+ent (September 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
1.20.10 Enterprise (August 13, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or…
1.20.9 Enterprise (July 28, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or…
1.20.8 Enterprise (June 18, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or…
1.20.0 (October 14, 2024)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.
1.19.13+ent (September 21, 2025)
This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

