Compiled from the Vault CHANGELOG, GitHub releases, and the Important Changes documentation.
Only changes that alter existing behavior, remove prior functionality, or require operator action are included. Pure security advisories without behavioral impact are noted but not exhaustively listed.
| Area | Change | Details |
|---|---|---|
| audit | correlation-id and x-correlation-id request headers are now included in audit log entries when present. Not HMAC-protected by default; configurable via /sys/config/auditing/request-headers. Marked breaking in release notes. |
GH-26777 |
| auth/centrify | The deprecated Centrify auth method plugin has been removed. Clusters using it must migrate to an alternative auth method before upgrading. | GH-27130 |
| auth/jwt | bound_audiences validation is now enforced for list-type aud claims (backported to v1.16.3). A bug (CVE-2024-5798) caused Vault to silently skip bound_audiences checks when the JWT aud claim was a list of strings rather than a single string, allowing invalid logins to succeed. After the fix, bound_audiences must be set on the JWT role and must match at least one value in the JWT's aud claim. Deployments relying on the broken behavior (missing or mismatched bound_audiences) will now fail to authenticate. |
HCSEC-2024-11, 1.17.x upgrade guide |
| core (Enterprise) | Seal High Availability (HA) now requires enable_multiseal = true in server configuration to activate. Was previously implied in some upgrade paths. |
— |
| secrets/pki | sign-intermediate API truncates notAfter to the signing issuer's notAfter if the calculated value goes beyond it. Previously an out-of-bounds notAfter was silently permitted, producing technically invalid chains. |
GH-26796 |
| sdk | String templates (used in database secrets engine URL templates, etc.) now have a hard maximum of 100,000 characters. Longer templates will error. | GH-26110 |
| Area | Change | Details |
|---|---|---|
| secrets/ssh | SSH Secrets Engine CA roles now require valid_principals to contain a value or default_user to be set. Roles without either will deny certificate issuance. Use the new allow_empty_principals = true flag for backward compatibility. Applies to all 1.16.x ≥ 1.16.10, 1.17.x ≥ 1.17.6. |
HCSEC-2024-20, GH-28466 |
| core/audit | Security regression fix: client tokens and token accessors that were being emitted as plaintext in audit logs are now properly HMAC-protected again. Audit consumers relying on plaintext tokens in logs must update their tooling. | HCSEC-2024-18 |
| Area | Change | Details |
|---|---|---|
| activity (Enterprise) | The deprecated fields distinct_entities and non_entity_tokens have been removed from client count API responses. |
GH-27830 |
| activity log | The default_report_months field is deprecated and ignored; the billing period start date is now used to determine the default start time for activity log queries. |
GH-27350 |
| activity log | The current_billing_period filter for /sys/internal/counters/activity is deprecated; the default start time is now the billing period start automatically. |
GH-27426 |
| activity export API | The Activity Export API now requires the sudo ACL capability. Tokens without sudo will receive 403. |
GH-27846 |
| activity export API | The Activity Export API now returns HTTP 204 (no content) instead of 400 when no data exists in the requested time range. | GH-28064 |
| CLI | The undocumented -dev-three-node and -dev-four-cluster CLI flags have been removed. |
GH-27578 |
| core (Enterprise) | Control group error responses for could not find token and token is not a valid control group token now return HTTP 400 instead of 500. |
— |
| Area | Change | Details |
|---|---|---|
| core/raft | Raft cluster join requests are now rate-limited and rejected beyond a configurable threshold to prevent memory exhaustion DoS. This is a behavioral change for large clusters performing many concurrent joins. | HCSEC-2024-26, GH-28790 |
| Area | Change | Details |
|---|---|---|
| secrets/pki | Issuer constraint extensions are now enforced when issuing or signing leaf certificates. Prior to this, extended key usage, name constraints, and issuer name extensions on CA issuers were not checked. Certificates previously issued that violated these constraints will no longer be signable. See PKI Considerations. First backported to v1.16.14 (Dec 2024), then included in v1.19.0. | GH-29045, PKI docs |
| Area | Change | Details |
|---|---|---|
| auth/ldap | Login now returns an error if more than one entry is returned from the user DN LDAP search. Previously, the first result was silently used. | GH-29302 |
| auth/ldap | Authentication warnings are no longer forwarded to the auth client. | GH-29134 |
| core/raft | sys/storage/raft/join now returns an error if a node that was previously removed from the raft cluster tries to re-join while it still has raft data on disk. The data must be cleared first. |
GH-29090 |
| storage/raft | Nodes removed from the raft cluster configuration are shut down and can no longer respond to any requests. | GH-28875 |
| kmip (Enterprise) | RSA key generation now enforces a minimum key size of 2048 bits. Requests for smaller keys will fail. | — |
| secrets/aws | The AWS Secrets engine now persists role config between writes (partial updates supported). To zero out a previously-set field, operators must now explicitly pass the zero value in the update request. | GH-29497 |
| ui | The ability to download unencrypted KV v2 secret data from the UI has been removed. | GH-29290 |
| Area | Change | Details |
|---|---|---|
| auth/azure | Azure auth logins now require resource_group_name, vm_name, and vmss_name in the token claims to match the configured bound values. Previously, missing or mismatched location constraints could be bypassed on login. |
HCSEC-2025-07 |
| Area | Change | Details |
|---|---|---|
| server config | disable_mlock is now required when using integrated storage. It no longer has a default value. Vault server will fail to start if not explicitly set to true or false. |
GH-29974 |
| core | Client IP addresses extracted from X-Forwarded-For headers are now validated as proper IPv4 or IPv6 addresses. Invalid values are rejected, which may break setups with non-standard proxy headers. |
GH-29774 |
| activity API | The end_time returned by /sys/internal/counters/activity is now capped at the end of the last completed month. Requests with a future end_time return data only through the previous month end. |
GH-30164 |
| api | The /sys/internal/counters/tokens endpoint is deprecated and now returns 403 (unsupported path). Callers must be updated. |
GH-30561 |
| auth/azure | Azure auth plugin updated to v0.20.2+: login now requires resource_group_name, vm_name, and vmss_name in token claims (propagated from patch releases). |
GH-30052 |
| activity (Enterprise) | Provided start_time and end_time values in sys/internal/counters/activity are now aligned to the corresponding billing period boundaries. |
— |
| Area | Change | Details |
|---|---|---|
| core | A nonce is now required when cancelling a rekey operation initiated within the last 10 minutes, preventing a denial-of-service via recovery key cancellation. | HCSEC-2025-11, GH-30794 |
| Area | Change | Details |
|---|---|---|
| audit (all editions) | Breaking change: Vault will refuse to unseal if the only configured file audit device has executable permissions (e.g., 0755, 0777). This prevents a code execution vector (CVE-2025-6000). Operators must tighten file audit device permissions before upgrading. See Important Changes docs. |
HCSEC-2025-14, GH-31211 |
| Area | Change | Details |
|---|---|---|
| auth/ldap | Non-empty passwords are now required on LDAP login. Blank passwords now return an error rather than being forwarded to the server, preventing potential unauthenticated access. | — |