Nomad Changelog File — HashiCorp

2.0.2 (May 22, 2026)

BUG FIXES:

acl: fix rpc permission denied error when using node_pool="all" [GH-27973]
ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

2.0.1 (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

api: Add "latest" flag for tagging the latest version of a job [GH-27764]
build: Update Go toolchain to 1.26.3 [GH-27924]
cli: Added retry for nomad job run monitoring [GH-27887]
cli: Automatically expand nomad exec -it to -i -t [GH-27906]
cli: job plan now propagates -hcl2-strict=false into the suggested nomad job run -check-index invocation when the user passed it on the plan command line [GH-23656]
cli: add monitoring and verbose option to job dispatch [GH-27541]
drivers: include volume RequestName within mount config information if available [GH-27710]
scheduler: Add a configuration field for the number of nodes that the scheduler considers when spread or affinity is in use. This can improve scheduler performance for some cluster shapes. [GH-27650]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
core: avoid setting job to dead while waiting for allocations to reschedule [GH-27852]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job (Enterprise): Renabled use of multiple vault namespaces in a single job
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

2.0.0 (April 21, 2026)

FEATURES:

config: add nonproduction config option for server, license, and reporting config [GH-27646]
core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build (Enterprise): Added support for ppc64le CPU architecture on Linux
build: Upgrade to Go 1.26 [GH-27685]
metrics: adds a metric for total agent http connections [GH-26756]
secrets: increase secrets plugin execution timeout to 60s [GH-27779]
server: Added support for raft-WAL logstore [GH-27493]
variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]
tls: fix parsing of combined key files when creating tls expiry metric [GH-27667]

1.11.6 Enterprise (May 22, 2026)

BUG FIXES:

ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

1.11.5 Enterprise (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

build: Update Go toolchain to 1.26.3 [GH-27924]
drivers: include volume RequestName within mount config information if available [GH-27710]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
core: avoid setting job to dead while waiting for allocations to reschedule [GH-27852]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job: renabled use of multiple vault namespaces in a single job [GH-4002]
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

1.11.4 Enterprise (April 21, 2026)

FEATURES:

config: add nonproduction config option for server, license, and reporting config [GH-27646]
core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build: Upgrade to Go 1.26 [GH-27685]
metrics: adds a metric for total agent http connections [GH-26756]
secrets: increase secrets plugin execution timeout to 60s [GH-27779]
variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

1.11.3 (March 11, 2026)

SECURITY:

security: Upgrade tooling to Go 1.25.8 [GH-27653]

IMPROVEMENTS:

acl (Enterprise): Added sentinel policy block to allow managing Sentinel policies without a management token [GH-27556]
acl: Added fine-grained ACL capabilities for saving snapshots and reading the Enterprise license [GH-27525]
acl: Added fine-grained ACL capability for rotating the keyring [GH-27526]
agent: Added agent.tls.cert.expiration_seconds and agent.tls.ca.expiration_seconds telemetry data points to track TLS certificate expiration. [GH-27538]
cli: Added autocompletions for ACL auth method, binding rule, policy, and token subcommands [GH-27505]
cli: Improved options autocompletions for various commands [GH-27506]
cli: Reduced server overhead when dispatching jobs or forcing periodic jobs from the CLI [GH-27631]
cli: Truncate results when job commands return a large set of jobs that match the provided ID prefix [GH-27631]
consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables [GH-27574]
events: Added a Deleted flag to JobDeregistered event type to differentiate between stopped and deleted jobs [GH-27614]

BUG FIXES:

acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims [GH-27550]
artifact: Fix artifact inspection when using file mode [GH-27552]
config: Fixed a bug where the keyring block could only be specified a maximum of two times [GH-27579]
config: Fixed parsing of Vault and Consul blocks as JSON that included objects such as task_identity [GH-27595]
consul: fixes bug where clients were passing node token to connect envoy container, causing acl not found errors [GH-27574]
core: Fixed system jobs being rescheduled after a node is drained and marked eligible again [GH-27499]
deployments: Fixed a bug where a task group dropped from a system job could cause deployment state to be overwritten incorrectly [GH-27604]
deployments: Fixed a bug where system job canary state could be incorrectly changed after a promotion [GH-27497]
deployments: Fixed a bug where system job deployments would not be marked healthy even though all allocations were healthy [GH-27497]
drivers: Pass error when included in fingerprint response [GH-27537]
dynamic host volumes: Fixed a bug with sticky volumes where replacement allocations would not use the previous volume claim [GH-27613]
http: Ensure the correct HTTP protocol version is set on event stream responses [GH-27586]
job status: Fixes regression setting job status when jobs have matching prefix [GH-27516]
keyring (Enterprise): Fixed a bug where in mixed-version clusters with pre-1.9 servers, a keyring rotation that returns an error for an unavailable KMS could prevent future server restarts [GH-27581]
scheduler: Fix a potential panic in the system scheduler when deploying jobs with multiple task groups and infeasible nodes that become feasible [GH-27571]
scheduler: Fixed a bug where system deployments would not complete on clusters with pre-1.11.0 nodes [GH-27605]
state: Fixed a potential state store corruption bug in the service/batch scheduler and deployment watcher [GH-27548]

1.11.2 (February 11, 2026)

SECURITY:

build: Updated toolchain to Go 1.25.6 [GH-27439]
build: Updated toolchain to Go 1.25.7 [GH-27468]

IMPROVEMENTS:

acl: Add finer grain permissions for managing job submissions [GH-27287]
build: Add dev-static and static-release build targets that disable CGO and offer statically-linked binaries [GH-27310]
cli: Highlight missing driver message in alloc metrics output [GH-27416]
cli: Improve command line completion of the sentinel apply command [GH-27335]
cni: Added /usr/libexec/cni as an additional default path within the client.cni_path configuration option [GH-27336]
cni: Search all paths in cni_path instead of stopping on first failure [GH-27336]
deps: Migrate from archived dependency github.com/mitchellh/mapstructure to github.com/go-viper/mapstructure/v2 [GH-27444]
docker: Added support for reserved-only memory oversubscription without a hard limit [GH-27354]
exec: Added support for reserved-only memory oversubscription without a hard limit [GH-27354]
fingerprint: Added support for reloading the cpu, memory, network, CNI plugin, and cloud provider fingerprints without restarting the client agent [GH-27452]
qemu: adds an emulator allowlist to qemu plugin config [GH-27182]
quotas: Node pool level limits for resources
reporting (Enterprise): Add device plugin usage to product usage metrics
rpc: Submitting a plan no longer serializes the whole Job object [GH-27424]
scheduler: Do not create node evals for terminal node allocs [GH-27423]
scheduler: Do not create node evaluations for system jobs that are stopped [GH-27419]
sentinel: Added a new nomad_var built-in import for fetching Nomad variables under the nomad/sentinel path for use in policy evaluation
sentinel: Added opt-in support for the http module via the sentinel.additional_enabled_modules configuration
state: avoid unneded allocation copy when building event payload [GH-27311]

BUG FIXES:

acl: Fixed a bug where host-volume-delete capability was not allowed when writing a policy [GH-27434]
api: exit EventStream.Stream on first error [GH-27141]
api: only include running tasks in allocation resource usage [GH-27317]
api: return proper 403 message when getting variables instead of swallowing error [GH-27269]
artifact: Fixed a bug that prevented the sandbox from moving downloaded files to the target directory on Windows [GH-27398]
checks: Fixed a bug where script checks with task-level interpolation would fail to heartbeat to Consul [GH-27453]
client: Added a new fingerprint configuration block which allows users to specify retry behavior for the env_aws, env_azure, env_digitalocean and env_gcp fingerprinters. [GH-27161]
client: Fix unchanged devices causing extraneous node updates [GH-27363]
client: Fixed generation of the "NOMAD_ALLOC_ADDR_" environment variable when using static port assignments [GH-27305]
core: Fixed a bug where follow-up evals could be created for failed evaluations of garbage collected jobs [GH-27367]
csi: Sanitize volumes correctly upon sentinel policy eval
deployment: Fixed a bug where deploying a system job could panic the leader [GH-27262]
deployments: Fixed a bug where system deployments can violate update.max_parallel if another eval for the job is triggered while allocs are pending [GH-27284]
disconnect: allocations with a disconnect.lost_after > 0 and replace = true will now follow the reschedule block instead of immediately being replaced. [GH-27053]
dispatch: Fixed a bug where concurrent dispatch requests could ignore the idempotency token [GH-27353]
drivers: adds hostname to NetworkCreateRequest for external drivers [GH-27273]
event broker: fix memory leak in methods that close subscriptions [GH-27312]
event stream: Fixed a bug where the HTTP handler can block forever and cause high memory usage if an API client reads too slowly from the stream [GH-27397]
host volumes: Fixed a bug where allocations that request volumes with sticky=true could not be placed if previous allocations in the job claimed volumes [GH-27470]
job: Correctly validate any constraint attributes to ensure they conform to known formats [GH-27355]
keyring (Enterprise): Fixed a bug where servers configured with high availability keyrings with pre-1.9.0 keystores would not start if one of the external KMS was unreachable [GH-27279]
multiregion: fixes a bug where resubmitting an unchanged job would cause server handler to hang [GH-27386]
numa: Fixed a bug where NUMA detection would cause a panic on hosts with discontinuous node IDs [GH-27277]
qemu: change driver filesystem isolation to "None" for proper variable interpolation in job spec [GH-27246]
qemu: fixes graceful_shutdown to wait kill_timeout before signalling process [GH-27316]
ui: Tagging job versions in another namespace than the default-namespace resulted in an error [GH-27282]
ui: fix bug preventing OIDC login when iss parameter is required [GH-27248]

1.11.1 (December 09, 2025)

BREAKING CHANGES:

docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

connect: allow configuring identities for sidecar_task [GH-25877]
landlock: check paths exist on setup [GH-27149]
oidc: add support for array-based OIDC claims [GH-26958]
qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
dynamic host volumes: fix Windows compatibility [GH-27147]
fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
ui: Fixed the error message presented for invalid Variables definitions [GH-26235]

1.11.0 (November 11, 2025)

FEATURES:

Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
scheduler: Enable deployments for system jobs [GH-26708]
secrets: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]

BREAKING CHANGES:

metrics: Eval broker metrics that previously used the job ID as a label will now use the parent ID of dispatch and periodic jobs [GH-26737]
sysbatch: Submitting a sysbatch job with a reschedule block will now return an error instead of being silently ignored [GH-26279]

SECURITY:

build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

api: The Evaluations.Info method of the Go API now populates the RelatedEvals field. [GH-26156]
build: Add tzdata to Docker container final image [GH-26794]
build: Updated Go to 1.25.1 [GH-26823]
cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
cli: Added related evals and placed allocations tables to the eval status command, and exposed more fields without requiring the -verbose flag. [GH-26156]
config: Added job_max_count option to limit number of allocs for a single job [GH-26858]
consul connect: Allow cni/* network mode; use at your own risk [GH-26449]
install (Enterprise): Updated license information displayed during post-install [GH-26791]
metrics: Reduce memory usage on the Nomad leader for collecting eval broker metrics. [GH-26737]
reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]
scheduler: Add reconciler annotations to the output of the eval status command [GH-26188]
scheduler: Debug-level logs emitted by the scheduler are now single-line structured logs [GH-26169]
scheduler: For service and batch jobs, the scheduler no longer includes stops for already-stopped canaries in plans it submits. [GH-26292]
scheduler: For service and batch jobs, the scheduler treats a group.count=0 identically to removing the task group from the job, and will stop all non-terminal allocations. [GH-26292]

DEPRECATIONS:

api: the Resources and Reserved fields on the Node struct in the Go API are deprecated and will be removed in Nomad 1.12.0. Use the NodeResources and ReservedResources fields instead [GH-26951]

BUG FIXES:

acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
client: Fix unique identifiers for templates with same content [GH-26880]
client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

1.10.12 Enterprise (May 22, 2026)

BUG FIXES:

ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

1.10.11 Enterprise (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

build: Update Go toolchain to 1.26.3 [GH-27924]
drivers: include volume RequestName within mount config information if available [GH-27710]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job: renabled use of multiple vault namespaces in a single job [GH-4002]
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

1.10.10 Enterprise (April 21, 2026)

FEATURES:

core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build: Upgrade to Go 1.26 [GH-27685]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

1.10.9 Enterprise (March 11, 2026)

SECURITY:

security: Upgrade tooling to Go 1.25.8 [GH-27653]

IMPROVEMENTS:

consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables [GH-27574]

BUG FIXES:

acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims [GH-27550]
artifact: Fix artifact inspection when using file mode [GH-27552]
config: Fixed a bug where the keyring block could only be specified a maximum of two times [GH-27579]
config: Fixed parsing of Vault and Consul blocks as JSON that included objects such as task_identity [GH-27595]
consul: fixes bug where clients were passing node token to connect envoy container, causing acl not found errors [GH-27574]
drivers: Pass error when included in fingerprint response [GH-27537]
http: Ensure the correct HTTP protocol version is set on event stream responses [GH-27586]
job status: Fixes regression setting job status when jobs have matching prefix [GH-27516]
keyring (Enterprise): Fixed a bug where in mixed-version clusters with pre-1.9 servers, a keyring rotation that returns an error for an unavailable KMS could prevent future server restarts [GH-27581]
state: Fixed a potential state store corruption bug in the service/batch scheduler and deployment watcher [GH-27548]

2.0.2 (May 22, 2026)

BUG FIXES:

acl: fix rpc permission denied error when using node_pool="all" [GH-27973]
ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

2.0.1 (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

api: Add "latest" flag for tagging the latest version of a job [GH-27764]
build: Update Go toolchain to 1.26.3 [GH-27924]
cli: Added retry for nomad job run monitoring [GH-27887]
cli: Automatically expand nomad exec -it to -i -t [GH-27906]
cli: job plan now propagates -hcl2-strict=false into the suggested nomad job run -check-index invocation when the user passed it on the plan command line [GH-23656]
cli: add monitoring and verbose option to job dispatch [GH-27541]
drivers: include volume RequestName within mount config information if available [GH-27710]
scheduler: Add a configuration field for the number of nodes that the scheduler considers when spread or affinity is in use. This can improve scheduler performance for some cluster shapes. [GH-27650]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
core: avoid setting job to dead while waiting for allocations to reschedule [GH-27852]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job (Enterprise): Renabled use of multiple vault namespaces in a single job
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

2.0.0 (April 21, 2026)

FEATURES:

config: add nonproduction config option for server, license, and reporting config [GH-27646]
core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build (Enterprise): Added support for ppc64le CPU architecture on Linux
build: Upgrade to Go 1.26 [GH-27685]
metrics: adds a metric for total agent http connections [GH-26756]
secrets: increase secrets plugin execution timeout to 60s [GH-27779]
server: Added support for raft-WAL logstore [GH-27493]
variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]
tls: fix parsing of combined key files when creating tls expiry metric [GH-27667]

1.11.6 Enterprise (May 22, 2026)

BUG FIXES:

ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

1.11.5 Enterprise (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

build: Update Go toolchain to 1.26.3 [GH-27924]
drivers: include volume RequestName within mount config information if available [GH-27710]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
core: avoid setting job to dead while waiting for allocations to reschedule [GH-27852]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job: renabled use of multiple vault namespaces in a single job [GH-4002]
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

1.11.4 Enterprise (April 21, 2026)

FEATURES:

config: add nonproduction config option for server, license, and reporting config [GH-27646]
core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build: Upgrade to Go 1.26 [GH-27685]
metrics: adds a metric for total agent http connections [GH-26756]
secrets: increase secrets plugin execution timeout to 60s [GH-27779]
variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

1.11.3 (March 11, 2026)

SECURITY:

security: Upgrade tooling to Go 1.25.8 [GH-27653]

IMPROVEMENTS:

acl (Enterprise): Added sentinel policy block to allow managing Sentinel policies without a management token [GH-27556]
acl: Added fine-grained ACL capabilities for saving snapshots and reading the Enterprise license [GH-27525]
acl: Added fine-grained ACL capability for rotating the keyring [GH-27526]
agent: Added agent.tls.cert.expiration_seconds and agent.tls.ca.expiration_seconds telemetry data points to track TLS certificate expiration. [GH-27538]
cli: Added autocompletions for ACL auth method, binding rule, policy, and token subcommands [GH-27505]
cli: Improved options autocompletions for various commands [GH-27506]
cli: Reduced server overhead when dispatching jobs or forcing periodic jobs from the CLI [GH-27631]
cli: Truncate results when job commands return a large set of jobs that match the provided ID prefix [GH-27631]
consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables [GH-27574]
events: Added a Deleted flag to JobDeregistered event type to differentiate between stopped and deleted jobs [GH-27614]

BUG FIXES:

acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims [GH-27550]
artifact: Fix artifact inspection when using file mode [GH-27552]
config: Fixed a bug where the keyring block could only be specified a maximum of two times [GH-27579]
config: Fixed parsing of Vault and Consul blocks as JSON that included objects such as task_identity [GH-27595]
consul: fixes bug where clients were passing node token to connect envoy container, causing acl not found errors [GH-27574]
core: Fixed system jobs being rescheduled after a node is drained and marked eligible again [GH-27499]
deployments: Fixed a bug where a task group dropped from a system job could cause deployment state to be overwritten incorrectly [GH-27604]
deployments: Fixed a bug where system job canary state could be incorrectly changed after a promotion [GH-27497]
deployments: Fixed a bug where system job deployments would not be marked healthy even though all allocations were healthy [GH-27497]
drivers: Pass error when included in fingerprint response [GH-27537]
dynamic host volumes: Fixed a bug with sticky volumes where replacement allocations would not use the previous volume claim [GH-27613]
http: Ensure the correct HTTP protocol version is set on event stream responses [GH-27586]
job status: Fixes regression setting job status when jobs have matching prefix [GH-27516]
keyring (Enterprise): Fixed a bug where in mixed-version clusters with pre-1.9 servers, a keyring rotation that returns an error for an unavailable KMS could prevent future server restarts [GH-27581]
scheduler: Fix a potential panic in the system scheduler when deploying jobs with multiple task groups and infeasible nodes that become feasible [GH-27571]
scheduler: Fixed a bug where system deployments would not complete on clusters with pre-1.11.0 nodes [GH-27605]
state: Fixed a potential state store corruption bug in the service/batch scheduler and deployment watcher [GH-27548]

1.11.2 (February 11, 2026)

SECURITY:

build: Updated toolchain to Go 1.25.6 [GH-27439]
build: Updated toolchain to Go 1.25.7 [GH-27468]

IMPROVEMENTS:

acl: Add finer grain permissions for managing job submissions [GH-27287]
build: Add dev-static and static-release build targets that disable CGO and offer statically-linked binaries [GH-27310]
cli: Highlight missing driver message in alloc metrics output [GH-27416]
cli: Improve command line completion of the sentinel apply command [GH-27335]
cni: Added /usr/libexec/cni as an additional default path within the client.cni_path configuration option [GH-27336]
cni: Search all paths in cni_path instead of stopping on first failure [GH-27336]
deps: Migrate from archived dependency github.com/mitchellh/mapstructure to github.com/go-viper/mapstructure/v2 [GH-27444]
docker: Added support for reserved-only memory oversubscription without a hard limit [GH-27354]
exec: Added support for reserved-only memory oversubscription without a hard limit [GH-27354]
fingerprint: Added support for reloading the cpu, memory, network, CNI plugin, and cloud provider fingerprints without restarting the client agent [GH-27452]
qemu: adds an emulator allowlist to qemu plugin config [GH-27182]
quotas: Node pool level limits for resources
reporting (Enterprise): Add device plugin usage to product usage metrics
rpc: Submitting a plan no longer serializes the whole Job object [GH-27424]
scheduler: Do not create node evals for terminal node allocs [GH-27423]
scheduler: Do not create node evaluations for system jobs that are stopped [GH-27419]
sentinel: Added a new nomad_var built-in import for fetching Nomad variables under the nomad/sentinel path for use in policy evaluation
sentinel: Added opt-in support for the http module via the sentinel.additional_enabled_modules configuration
state: avoid unneded allocation copy when building event payload [GH-27311]

BUG FIXES:

acl: Fixed a bug where host-volume-delete capability was not allowed when writing a policy [GH-27434]
api: exit EventStream.Stream on first error [GH-27141]
api: only include running tasks in allocation resource usage [GH-27317]
api: return proper 403 message when getting variables instead of swallowing error [GH-27269]
artifact: Fixed a bug that prevented the sandbox from moving downloaded files to the target directory on Windows [GH-27398]
checks: Fixed a bug where script checks with task-level interpolation would fail to heartbeat to Consul [GH-27453]
client: Added a new fingerprint configuration block which allows users to specify retry behavior for the env_aws, env_azure, env_digitalocean and env_gcp fingerprinters. [GH-27161]
client: Fix unchanged devices causing extraneous node updates [GH-27363]
client: Fixed generation of the "NOMAD_ALLOC_ADDR_" environment variable when using static port assignments [GH-27305]
core: Fixed a bug where follow-up evals could be created for failed evaluations of garbage collected jobs [GH-27367]
csi: Sanitize volumes correctly upon sentinel policy eval
deployment: Fixed a bug where deploying a system job could panic the leader [GH-27262]
deployments: Fixed a bug where system deployments can violate update.max_parallel if another eval for the job is triggered while allocs are pending [GH-27284]
disconnect: allocations with a disconnect.lost_after > 0 and replace = true will now follow the reschedule block instead of immediately being replaced. [GH-27053]
dispatch: Fixed a bug where concurrent dispatch requests could ignore the idempotency token [GH-27353]
drivers: adds hostname to NetworkCreateRequest for external drivers [GH-27273]
event broker: fix memory leak in methods that close subscriptions [GH-27312]
event stream: Fixed a bug where the HTTP handler can block forever and cause high memory usage if an API client reads too slowly from the stream [GH-27397]
host volumes: Fixed a bug where allocations that request volumes with sticky=true could not be placed if previous allocations in the job claimed volumes [GH-27470]
job: Correctly validate any constraint attributes to ensure they conform to known formats [GH-27355]
keyring (Enterprise): Fixed a bug where servers configured with high availability keyrings with pre-1.9.0 keystores would not start if one of the external KMS was unreachable [GH-27279]
multiregion: fixes a bug where resubmitting an unchanged job would cause server handler to hang [GH-27386]
numa: Fixed a bug where NUMA detection would cause a panic on hosts with discontinuous node IDs [GH-27277]
qemu: change driver filesystem isolation to "None" for proper variable interpolation in job spec [GH-27246]
qemu: fixes graceful_shutdown to wait kill_timeout before signalling process [GH-27316]
ui: Tagging job versions in another namespace than the default-namespace resulted in an error [GH-27282]
ui: fix bug preventing OIDC login when iss parameter is required [GH-27248]

1.11.1 (December 09, 2025)

BREAKING CHANGES:

docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

connect: allow configuring identities for sidecar_task [GH-25877]
landlock: check paths exist on setup [GH-27149]
oidc: add support for array-based OIDC claims [GH-26958]
qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
dynamic host volumes: fix Windows compatibility [GH-27147]
fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
ui: Fixed the error message presented for invalid Variables definitions [GH-26235]

1.11.0 (November 11, 2025)

FEATURES:

Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
scheduler: Enable deployments for system jobs [GH-26708]
secrets: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]

BREAKING CHANGES:

metrics: Eval broker metrics that previously used the job ID as a label will now use the parent ID of dispatch and periodic jobs [GH-26737]
sysbatch: Submitting a sysbatch job with a reschedule block will now return an error instead of being silently ignored [GH-26279]

SECURITY:

build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

api: The Evaluations.Info method of the Go API now populates the RelatedEvals field. [GH-26156]
build: Add tzdata to Docker container final image [GH-26794]
build: Updated Go to 1.25.1 [GH-26823]
cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
cli: Added related evals and placed allocations tables to the eval status command, and exposed more fields without requiring the -verbose flag. [GH-26156]
config: Added job_max_count option to limit number of allocs for a single job [GH-26858]
consul connect: Allow cni/* network mode; use at your own risk [GH-26449]
install (Enterprise): Updated license information displayed during post-install [GH-26791]
metrics: Reduce memory usage on the Nomad leader for collecting eval broker metrics. [GH-26737]
reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]
scheduler: Add reconciler annotations to the output of the eval status command [GH-26188]
scheduler: Debug-level logs emitted by the scheduler are now single-line structured logs [GH-26169]
scheduler: For service and batch jobs, the scheduler no longer includes stops for already-stopped canaries in plans it submits. [GH-26292]
scheduler: For service and batch jobs, the scheduler treats a group.count=0 identically to removing the task group from the job, and will stop all non-terminal allocations. [GH-26292]

DEPRECATIONS:

api: the Resources and Reserved fields on the Node struct in the Go API are deprecated and will be removed in Nomad 1.12.0. Use the NodeResources and ReservedResources fields instead [GH-26951]

BUG FIXES:

acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
client: Fix unique identifiers for templates with same content [GH-26880]
client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

1.10.12 Enterprise (May 22, 2026)

BUG FIXES:

ui: Fixed a bug where the client detail page would fail to render [GH-27958]
ui: Fixed a bug where the topology page would fail to render [GH-27958]
ui: Fixed a bug where the evaluation detail panel would render improperly [GH-27987]

1.10.11 Enterprise (May 12, 2026)

BREAKING CHANGES:

logging: The allocation logs directory is bind-mounted read-only for task drivers that support with filesystem isolation [GH-27918]

SECURITY:

dynamic host volumes: Prevent unintended code execution outside the plugin directory (CVE-2026-7474) [GH-27919]
logging: Protect logging FIFO from symlink swap attacks (CVE-2026-6959) [GH-27918]
sentinel: require sentinel-override ACL capability for overriding soft-mandatory policies on volumes
ui: Upgraded Ember to 6.10 [GH-27674]

IMPROVEMENTS:

build: Update Go toolchain to 1.26.3 [GH-27924]
drivers: include volume RequestName within mount config information if available [GH-27710]
server: RPC dial timeout is configurable [GH-27862]
services: warn on job submit when job has services but no shutdown_delay [GH-27782]

BUG FIXES:

api: Fix a bug where the Create Job, Update Job, and Scale Job APIs could fail to respect EnforceIndex under concurrent requests [GH-27832]
csi: improve check of StagePublishBaseDir being subdirectory of MountDir [GH-27717]
deployments: reset ProgressDeadline after pausing and do not fail while paused [GH-27804]
drivers: kill plugin instance on dispense failure [GH-27711]
job: renabled use of multiple vault namespaces in a single job [GH-4002]
plugins: Fixed a bug where plugin clients would continuously leak file descriptors when the agent was restarted [GH-27885]
scheduler: Fixed a bug where preemption of allocations by tasks that require devices could incorrectly fail placement [GH-27880]

1.10.10 Enterprise (April 21, 2026)

FEATURES:

core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

build: upgrade Go to 1.26.2 [GH-27831]
ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

build: Upgrade to Go 1.26 [GH-27685]

BUG FIXES:

agent: Fixed a potential panic in agents using systemd notification [GH-27746]
agent: fix api.Job.Version used in job PUT actions [GH-27768]
drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

1.10.9 Enterprise (March 11, 2026)

SECURITY:

security: Upgrade tooling to Go 1.25.8 [GH-27653]

IMPROVEMENTS:

consul (enterprise): adds ability to specify cluster specific consul tokens with environment variables [GH-27574]

BUG FIXES:

acl: Fixed a bug where a bearer-token authenticated request could panic the handler for checking claims [GH-27550]
artifact: Fix artifact inspection when using file mode [GH-27552]
config: Fixed a bug where the keyring block could only be specified a maximum of two times [GH-27579]
config: Fixed parsing of Vault and Consul blocks as JSON that included objects such as task_identity [GH-27595]
consul: fixes bug where clients were passing node token to connect envoy container, causing acl not found errors [GH-27574]
drivers: Pass error when included in fingerprint response [GH-27537]
http: Ensure the correct HTTP protocol version is set on event stream responses [GH-27586]
job status: Fixes regression setting job status when jobs have matching prefix [GH-27516]
keyring (Enterprise): Fixed a bug where in mixed-version clusters with pre-1.9 servers, a keyring rotation that returns an error for an unavailable KMS could prevent future server restarts [GH-27581]
state: Fixed a potential state store corruption bug in the service/batch scheduler and deployment watcher [GH-27548]