Fixed two Docker security issues: enforcement of allowed_modes or allow_privileged requirement for host namespace modes (CVE-2026-14891), and a symlink bypass of the volumes.enabled=false plugin configuration (CVE-2026-14896). Also fixed a cross-namespace host volume deletion bug and several scheduler issues affecting sticky volumes and feasibility checking.
Nomad
Fixed two Docker security issues: CVE-2026-14891 enforces allowed_modes or allow_privileged requirement for host namespace modes, and CVE-2026-14896 closes a symlink bypass for volumes.enabled=false. Also fixed a cross-namespace host volume deletion vulnerability and multiple scheduler and UI bugs including a ModifyIndex collision that omitted jobs from the jobs page.
Fixed a security bug where users with host-volume-delete permission in one namespace could delete claims from another namespace. Also fixed scheduler issues with sticky host volumes, a client panic after allocation garbage collection, and UI rendering of jobs with matching ModifyIndex values.
CLI debug bundles now redact token and certificate key flags and environment variables to prevent credential exposure. Fixed a bug where tasks could be killed mid-restart on template re-render, and restored support for multiple Vault namespaces in a single job.
Debug bundles now redact sensitive token and certificate key CLI flags and environment variables. Fixed a bug where tasks could be accidentally killed mid-restart on template re-render, and re-enabled use of multiple Vault namespaces in a single Enterprise job.
CLI flags and environment variables containing tokens and certificate keys are now redacted when writing debug bundles, addressing a security exposure. Added support for timeouts on batch jobs, and improved ACL token handling, Vault token renewal, and workload identity claims.
Fixed bugs where the client detail page, topology page, and evaluation detail panel would fail to render or render improperly in the UI.
Fixed UI rendering failures on the client detail page and topology page, and improper rendering of the evaluation detail panel.
Fixed an RPC permission denied error when using node_pool="all" in ACL rules. Also fixed UI rendering bugs affecting the client detail page, topology page, and evaluation detail panel.
Fixed two security vulnerabilities: prevented unintended code execution outside the plugin directory in dynamic host volumes (CVE-2026-7474) and protected the logging FIFO from symlink swap attacks (CVE-2026-6959). Allocation logs directory is now bind-mounted read-only for task drivers with filesystem isolation support, and plugin clients no longer leak file descriptors on agent restart.
Fixed two security vulnerabilities: logging FIFOs are now protected from symlink swap attacks (CVE-2026-6959), and dynamic host volumes prevent unintended code execution outside the plugin directory (CVE-2026-7474). The allocation logs directory is now bind-mounted read-only for task drivers with filesystem isolation, and a file descriptor leak in plugin clients on agent restart is fixed.
Fixed two security vulnerabilities: dynamic host volumes could allow unintended code execution outside the plugin directory (CVE-2026-7474), and logging FIFO was vulnerable to symlink swap attacks (CVE-2026-6959). Allocation logs directory is now bind-mounted read-only for task drivers with filesystem isolation support, and a plugin file descriptor leak on agent restart is fixed.
FEATURES:
- config: add nonproduction config option for server, license, and reporting config [GH-27646]
- core (Enterprise): Enable parsing and reporting with IBM PAO licenses
SECURITY:
- build: upgrade Go to 1.26.2…
FEATURES:
- core (Enterprise): Enable parsing and reporting with IBM PAO licenses
SECURITY:
- build: upgrade Go to 1.26.2 [GH-27831]
- ui: Increased the client-side generated OIDC nonce entropy to 256-bit.…
2.0.0 (April 21, 2026)
FEATURES:
FEATURES:
SECURITY:
- security: Upgrade tooling to Go 1.25.8 [GH-27653]
IMPROVEMENTS:
- consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables…
SECURITY:
- security: Upgrade tooling to Go 1.25.8 [GH-27653]
BUG FIXES:
- acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims…
SECURITY:


