HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v2.x (rc). View latest version.

Vault change tracker

Before upgrading, we recommend reviewing the following summary of functional changes and known issues to determine the likely impact on your Vault deployment.

Functional changes affect how Vault works including new requirements, new defaults, new behavior, and breaking changes. In some cases, we recommend specific actions before or after upgrading to mitigate the impact of a functional change.

Unresolved known issues may have suggested workarounds or mitagation strategies you should consider before upgrading.

Changes for 2.x.x

Breaking changes

IntroducedRecommendationsEditionChange
2.0.0YesAllAzure auth configuration takes precedence over environment variables

New behavior

IntroducedRecommendationsEditionChange
2.0.0YesEnterpriseLDAP static role rotation migrates to the rotation manager
2.0.0YesEnterpriseConfiguration for IBM Passport Advantage Online license keys

Known issues

None.

Changes for 1.21.x

Breaking changes

IntroducedRecommendationsEditionChange
1.21.0YesAllItem-by-item list comparison for allowed_parameters and denied_parameters

New behavior

IntroducedRecommendationsEditionChange
1.21.0YesEnterpriseRotation manager schedule strings in UTC

Known issues

FoundFixedWorkaroundEditionIssue
1.21.0NoYesEnterpriseMissed events with multiple event clients
1.21.01.21.1YesEnterpriseAzure static roles fail to parse metadata as a map
1.21.01.21.1YesAllGUI KV v2 metadata list request fails for some policies
1.21.01.21.1YesEnterpriseGUI KV v2 listing secrets fails in namespaces

Changes for 1.20.x

Breaking changes

IntroducedRecommendationsEditionChange
1.20.0YesAlldisable_mlock required for integrated storage
1.20.0YesAllRekey cancellations use a nonce
1.20.0NoAllAzure authentication requires bound group or service principal ID
1.20.1YesAllCVE-2025-6000: File audit devices cannot use executable file permissions
1.20.4YesCEGo mod tidy command fails on the community edition

New behavior

IntroducedRecommendationsEditionChange
1.20.0YesAllKey pair authentication for Snowflake DB secrets engine
1.20.0YesAllAudience warning for Kubernetes authentication roles
1.20.3NoAllJSON Payload Limits
1.20.5YesAllRotation manager schedule strings in UTC

Known issues

FoundFixedWorkaroundEditionIssue
1.20.0NoYesEnterpriseDuplicate unseal/seal wrap HSM keys
1.20.01.20.3No.All.AWS auto join fails on startup
1.20.01.20.1YesEnterpriseSecondary cluster reload overwrites development cluster setting
1.20.01.20.1YesAllUI login fails for auth mounts with underscores and unauthenticated listing
1.20.01.20.1YesAllGUI navigation error for KV v2 secret paths containing underscores
1.18.4NoYesAllFailing credential refresh for Snowflake DB secrets engine key pair authentication
1.20.01.20.1YesAllDuplicate LDAP password rotations on standby node check-in
1.20.0NoNoAllWriting configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag
1.20.0NoYesEnterpriseMissed events with multiple event clients
1.20.01.20.5NoEnterpriseFull seal rewraps occur on DR/PR failover with multi-seal enabled
1.19.01.20.14Upgrade.EnterpriseRotation manager job creation will fail, spawning large number of goroutines
1.20.01.20.5UpgradeEnterpriseRotation strings may change timezone interpretation across restarts

Changes for 1.19.x

General updates

UpdateIntroducedRecommendationsEditionChange
Support change1.19.0UpgradeEnterprise1.16.x moves to long term support and 1.19 becomes the current LTS version

Breaking changes

IntroducedRecommendationsEditionChange
1.19.0YesAllSecurity improvement for LDAP user DN search with upndomain
1.19.6YesAllRekey cancellations use a nonce
1.19.7YesAllCVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

IntroducedRecommendationsEditionChange
1.19.0NoEnterpriseAnonymized cluster data returned with license utilization
1.19.0YesAllIdentity system duplicate cleanup
1.19.0NoAllRADIUS authentication is no longer case sensitive
1.19.0NoAllTransit support for Ed25519ph and Ed25519ctx signatures
1.19.1YesAllStrict validation for Azure auth login requests
1.19.9NoAllJSON Payload Limits
1.19.11YesEnterpriseRotation manager schedule strings in UTC

Known issues

FoundFixedWorkaroundEditionIssue
1.19.0NoYesEnterpriseDuplicate unseal/seal wrap HSM keys
1.19.61.19.9No.All.AWS auto join fails on startup
1.19.01.19.3YesAllLogin/token renewal failures after group changes
1.19.01.19.3UpgradeAllUnexpected DB static role rotations on upgrade
1.19.01.19.3UpgradeAllUnexpected LDAP static role rotations on upgrade
1.19.01.19.3YesAllUnwanted secret rotation for DB and LDAP roles on restart
1.19.01.19.3YesAllAutomated rotation stops after unseal
1.19.01.19.4YesAllAWS STS configuration can fail with unspecified STS endpoints
1.19.01.19.4YesEnterpriseExternal Enterprise plugins cannot run on a standby node when it becomes active
1.19.01.19.1UpgradeAllVault log file missing subsystem logs
1.19.11.19.4YesAllAzure authN fails to authenticate Uniform VMSS instances
1.18.4NoYesAllFailing credential refresh for Snowflake DB secrets engine key pair authentication
1.19.0NoNoAllWriting configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag
1.19.0NoYesEnterpriseMissed events with multiple event clients
1.19.01.19.11NoEnterpriseFull seal rewraps occur on DR/PR failover with multi-seal enabled
1.19.01.19.10Upgrade.EnterpriseRotation manager job creation will fail, spawning large number of goroutines
1.19.01.19.11UpgradeEnterpriseRotation strings may change timezone interpretation across restarts

Changes for 1.18.x

General updates

UpdateIntroducedRecommendationsEditionChange
Beta removed1.18.0NoAllRequest limiter removed

Breaking changes

IntroducedRecommendationsEditionChange
1.18.11YesAllRekey cancellations use a nonce
1.18.12YesAllCVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

IntroducedRecommendationsEditionChange
1.18.0NoAllActivity log changes
1.18.0YesAllDocker image no longer contains curl
1.18.2YesAllAnonymous product usage metrics collection
1.18.7NoAllStrict validation for Azure auth login requests
1.18.14NoAllJSON Payload Limits

Known issues

FoundFixedWorkaroundEditionIssue
1.18.0NoYesEnterpriseDuplicate unseal/seal wrap HSM keys
1.18.01.18.9YesAllUnwanted secret rotation for DB and LDAP roles on restart
1.18.01.18.7UpgradeAllVault log file missing subsystem logs
1.18.01.18.5YesEnterpriseSecrets sync SSRF protection may block private endpoints
1.18.5NoNoAllAuthorization failure with Azure federated identity credentials
1.18.51.18.9UpgradeAllUnexpected DB static role rotations on upgrade
1.18.51.18.9UpgradeAllUnexpected LDAP static role rotations on upgrade
1.18.61.18.10YesEnterpriseExternal Enterprise plugins cannot run on a standby node when it becomes active
1.18.71.18.10YesAllAzure authN fails to authenticate Uniform VMSS instances
1.18.0NoNoEnterpriseFull seal rewraps occur on DR/PR failover with multi-seal enabled

Changes for 1.17.x

General updates

UpdateIntroducedRecommendationsEditionChange
Beta deprecated1.17.0NoAllRequest limiter deprecated
Opt out feature1.17.0YesAllPKI sign-intermediate now truncates notAfter field to signing issuer

Breaking changes

IntroducedRecommendationsEditionChange
1.17.18YesAllRekey cancellations use a nonce

New behavior

IntroducedRecommendationsEditionChange
1.17.0NoAllAllowed audit headers now have unremovable defaults
1.17.0YesAllJWT auth login requires bound_audiences parameter on role
1.17.14NoAllStrict validation for Azure auth login requests
1.17.3YesAllSecrets Sync SSRF Protection May Block Private Endpoints
1.17.9NoAllDefault report months deprecated for sys/internal/counters
1.17.9YesAllVault product usage metrics reporting

Known issues

FoundFixedWorkaroundEditionIssue
1.17.01.17.4YesAllAWS Auth Role configuration requires an external_id
1.17.01.17.6YesAllCached activation flags for secrets sync on follower nodes are not updated
1.17.01.17.5UpgradeAllClient tokens and token accessors audited in plaintext
1.17.01.17.3UpgradeAllDeleting an entity-aliases does not remove it from the in-memory database on standby nodes
1.17.0NoYesEnterpriseDuplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.17.0NoYesEnterpriseDuplicate unseal/seal wrap HSM keys
1.17.01.17.2UpgradeEnterpriseInput data on Transit Generate CMAC Response
1.17.0NoYesEnterpriseManual entity merges sent to a PR secondary cluster are not persisted to storage
1.17.0NoYesAllPKI OCSP GET requests can return HTTP redirect responses
1.17.0NoUpgradeAllUnwanted secret rotation for DB and LDAP roles on restart
1.17.01.17.1UpgradeAllVault Agent and Vault Proxy consume an excessive amount of CPU
1.17.01.17.3UpgradeEnterpriseVault standby nodes not deleting removed entity-aliases from in-memory database
1.17.01.17.17YesEnterpriseExternal Enterprise plugins cannot run on a standby node when it becomes active
1.17.01.17.14UpgradeAllVault log file missing subsystem logs
1.17.11.17.2YesAllPotential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.17.31.17.12YesEnterpriseSecrets sync SSRF protection may block private endpoints
1.17.12NoNoAllAuthorization failure with Azure federated identity credentials
1.17.121.17.16UpgradeAllUnexpected DB static role rotations on upgrade
1.17.121.17.16UpgradeAllUnexpected LDAP static role rotations on upgrade
1.17.141.17.17YesAllAzure authN fails to authenticate Uniform VMSS instances

Changes for 1.16.x

Breaking changes

IntroducedRecommendationsEditionChange
1.16.0YesAllDocker image no longer contains curl
1.16.21YesAllRekey cancellations use a nonce
1.16.23YesAllCVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

IntroducedRecommendationsEditionChange
1.16.0NoEnterpriseActivity log changes
1.16.0NoAllAuto-rolled billing start date
1.16.0YesAllDefault lease count quota enabled when upgrading from Vault versions before 1.9
1.16.0YesAllExternal plugin variables take precedence over system variables
1.16.0YesAllLDAP auth login changes
1.16.0YesAllProduct usage reporting
1.16.0YesAllSecrets Sync cannot be activated from chroot namespace
1.16.0NoEnterpriseSecrets Sync now requires setting a one-time flag before use
1.16.18NoAllStrict validation for Azure auth login requests
1.16.25NoAllJSON Payload Limits

Known issues

FoundFixedWorkaroundEditionIssue
1.16.01.16.18UpgradeAllVault log file missing subsystem logs
1.16.01.16.3YesAllAzure secrets engine role creation failing
1.16.01.16.3YesAllCached activation flags for secrets sync on follower nodes are not updated
1.16.0NoYesEnterpriseDuplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.16.0NoYesEnterpriseDuplicate unseal/seal wrap HSM keys
1.16.01.16.1UpgradeAllError logging in with LDAP auth method
1.16.01.16.1UpgradeAllError logging in with LDAP auth method when anonymous group search is enabled
1.16.0NoYesAllExisting clusters do not show the current Vault version in UI by default
1.16.0NoYesEnterpriseManual entity merges sent to a PR secondary cluster are not persisted to storage
1.16.01.16.4YesAllNew nodes added by autopilot upgrades provisioned with the wrong version
1.16.01.16.3YesEnterprisePerformance Standbys revert to Standby mode on unseal
1.16.0NoYesAllPKI OCSP GET requests can return HTTP redirect responses
1.16.01.16.6YesEnterprisePotential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.16.0NoYesAllSending SIGHUP to vault standby node causes panic
1.16.0NoUpgradeAllUnwanted secret rotation for DB and LDAP roles on restart
1.16.11.16.2YesAllError configuring the JWT auth method
1.16.31.16.6YesAllJWT auth login requires bound audiences on the role
1.16.31.16.7UpgradeEnterpriseVault standby nodes not deleting removed entity-aliases from in-memory database
1.16.71.16.9UpgradeAllClient tokens and token accessors audited in plaintext
1.16.71.16.16YesEnterpriseSecrets sync SSRF protection may block private endpoints
1.16.16NoNoAllAuthorization failure with Azure federated identity credentials
1.16.161.16.20UpgradeAllUnexpected DB static role rotations on upgrade
1.16.161.16.20UpgradeAllUnexpected LDAP static role rotations on upgrade
1.16.171.16.21YesEnterpriseExternal Enterprise plugins cannot run on a standby node when it becomes active
1.16.181.16.21UpgradeAllAzure authN fails to authenticate Uniform VMSS instances
1.16.01.16.27NoEnterpriseFull seal rewraps occur on DR/PR failover with multi-seal enabled
Edit this page on GitHub