Vault change tracker

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

Summary tables of important changes that may affect your ability to upgrade Vault.

Changes for 1.20.x

Breaking changes

Found	Recommendations	Edition	Issue
1.20.0	Yes	All	`disable_mlock` required for integrated storage
1.20.0	Yes	All	Rekey cancellations use a nonce

Known issues

Found	Fixed	Workaround	Edition	Issue

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website. 1.20.0 | No | Yes | All | Duplicate unseal/seal wrap HSM keys 1.20.0 | 1.20.1 | Yes | Enterprise | Development cluster setting overwritten on secondary cluster reload 1.20.0 | No | Yes | All | UI login fails for auth mounts with underscores and unauthenticated listing 1.20.0 | No | Yes | All | UI navigation to a KV v2 secret with an underscore errors without permissions to read subkeys

Changes for 1.19.x

General updates

Change	Found	Fixed	Recs	Edition	Issue
Support change	1.19.0	N/A	N/A	All	1.16.x moves to long term support and 1.19 becomes the current LTS version

Breaking changes

Found	Recommendations	Edition	Issue

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website. 1.19.0 | Yes | All | Security improvement for LDAP user DN search with upndomain 1.19.6 | Yes | All | Rekey cancellations use a nonce

New behavior

Found	Recommendations	Edition	Issue
1.19.0	No	Enterprise	Anonymized cluster data returned with license utilization
1.19.0	Yes	All	Identity system duplicate cleanup
1.19.0	No	All	RADIUS authentication is no longer case sensitive
1.19.0	No	All	Transit support for Ed25519ph and Ed25519ctx signatures
1.19.1	Yes	All	Strict validation for Azure auth login requests

Bugs

Found	Fixed	Workaround	Edition	Issue
1.19.0	1.19.3	Yes	All	Automated rotation stops after unseal
1.19.0	1.19.4	Yes	All	AWS STS configuration can fail with unspecified STS endpoints
1.19.0	1.19.4	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.19.0	1.19.1	Upgrade	All	Vault log file missing subsystem logs
1.19.1	1.19.4	Yes	All	Azure authN fails to authenticate Uniform VMSS instances

Known issues

Found	Fixed	Workaround	Edition	Issue
1.19.0	No	Yes	All	Duplicate unseal/seal wrap HSM keys
1.19.0	1.19.3	Yes	All	Login/token renewal failures after group changes
1.19.0	1.19.3	Upgrade	All	Unexpected DB static role rotations on upgrade
1.19.0	1.19.3	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.19.0	1.19.3	Yes	All	Unwanted secret rotation for DB and LDAP roles on restart
1.12.0	No	Yes	All	Duplicate LDAP Password Rotations on Standby Node Check-In

Changes for 1.18.x

General updates

Change	Found	Fixed	Recs	Edition	Issue
Beta removed	1.18.0	N/A	No	All	Request limiter removed

Breaking changes

Found	Recommendations	Edition	Issue

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website. 1.18.11 | Yes | All | Rekey cancellations use a nonce

New behavior

Found	Recommendations	Edition	Issue
1.18.0	No	All	Activity log changes
1.18.0	Yes	All	Docker image no longer contains curl
1.18.2	Yes	All	Anonymous product usage metrics collection
1.18.7	No	All	Strict validation for Azure auth login requests

Bugs

Found	Fixed	Workaround	Edition	Issue
1.18.0	1.18.7	Upgrade	All	Vault log file missing subsystem logs
1.18.6	1.18.10	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.18.7	1.18.10	Yes	All	Azure authN fails to authenticate Uniform VMSS instances

Known issues

Found	Fixed	Workaround	Edition	Issue
1.18.0	No	Yes	All	Duplicate unseal/seal wrap HSM keys
1.18.0	1.18.9	Yes	All	Unwanted secret rotation for DB and LDAP roles on restart
1.18.5	No	No	All	Authorization failure with Azure federated identity credentials
1.18.5	1.18.9	Upgrade	All	Unexpected DB static role rotations on upgrade
1.18.5	1.18.9	Upgrade	All	Unexpected LDAP static role rotations on upgrade

Changes for 1.17.x

General updates

Change	Found	Fixed	Recs	Edition	Issue
Beta deprecated	1.17.0	N/A	No	All	Request limiter deprecated
Opt out feature	1.17.0	N/A	Yes	All	PKI sign-intermediate now truncates `notAfter` field to signing issuer

Breaking changes

Found	Recommendations	Edition	Issue

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website. 1.17.18 | Yes | All | Rekey cancellations use a nonce

New behavior

Found	Recommendations	Edition	Issue
1.17.0	No	All	Allowed audit headers now have unremovable defaults
1.17.0	Yes	All	JWT auth login requires `bound_audiences` parameter on role
1.17.14	No	All	Strict validation for Azure auth login requests
1.17.3	Yes	All	Secrets Sync SSRF Protection May Block Private Endpoints
1.17.9	No	All	Default report months deprecated for `sys/internal/counters`
1.17.9	Yes	All	Vault product usage metrics reporting

Bugs

Found	Fixed	Workaround	Edition	Issue
1.17.0	1.17.17	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.17.0	1.17.14	Upgrade	All	Vault log file missing subsystem logs
1.17.14	1.17.17	Yes	All	Azure authN fails to authenticate Uniform VMSS instances

Known issues

Found	Fixed	Workaround	Edition	Issue
1.17.0	1.17.4	Yes	All	AWS Auth Role configuration requires an external_id
1.17.0	1.17.6	Yes	All	Cached activation flags for secrets sync on follower nodes are not updated
1.17.0	1.17.5	Upgrade	All	Client tokens and token accessors audited in plaintext
1.17.0	1.17.3	Upgrade	All	Deleting an entity-aliases does not remove it from the in-memory database on standby nodes
1.17.0	No	Yes	Enterprise	Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.17.0	No	Yes	All	Duplicate unseal/seal wrap HSM keys
1.17.0	1.17.2	Upgrade	Enterprise	Input data on Transit Generate CMAC Response
1.17.0	No	Yes	Enterprise	Manual entity merges sent to a PR secondary cluster are not persisted to storage
1.17.0	No	Yes	All	PKI OCSP GET requests can return HTTP redirect responses
1.17.0	No	Upgrade	All	Unwanted secret rotation for DB and LDAP roles on restart
1.17.0	1.17.1	Upgrade	All	Vault Agent and Vault Proxy consume an excessive amount of CPU
1.17.0	1.17.3	Upgrade	Enterprise	Vault standby nodes not deleting removed entity-aliases from in-memory database
1.17.1	1.17.2	Yes	All	Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.17.12	No	No	All	Authorization failure with Azure federated identity credentials
1.17.12	1.17.16	Upgrade	All	Unexpected DB static role rotations on upgrade
1.17.12	1.17.16	Upgrade	All	Unexpected LDAP static role rotations on upgrade

Changes for 1.16.x

Breaking changes

Found	Recommendations	Edition	Issue
1.16.0	Yes	All	Docker image no longer contains curl
1.16.21	Yes	All	Rekey cancellations use a nonce

New behavior

Found	Recommendations	Edition	Issue

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website. 1.16.0 | No | Enterprise | Activity log changes 1.16.0 | No | All | Auto-rolled billing start date 1.16.0 | Yes | All | Default lease count quota enabled when upgrading from Vault versions before 1.9 1.16.0 | Yes | All | External plugin variables take precedence over system variables 1.16.0 | Yes | All | LDAP auth login changes 1.16.0 | Yes | All | Product usage reporting 1.16.0 | Yes | All | Secrets Sync cannot be activated from chroot namespace 1.16.0 | No | Enterprise | Secrets Sync now requires setting a one-time flag before use 1.16.18 | No | All | Strict validation for Azure auth login requests

Bugs

Found	Fixed	Workaround	Edition	Issue
1.16.0	1.16.18	Upgrade	All	Vault log file missing subsystem logs
1.16.17	1.16.21	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.16.18	1.16.21	Upgrade	All	Azure authN fails to authenticate Uniform VMSS instances

Known issues

Found	Fixed	Workaround	Edition	Issue
1.16.0	1.16.3	Yes	All	Azure secrets engine role creation failing
1.16.0	1.16.3	Yes	All	Cached activation flags for secrets sync on follower nodes are not updated
1.16.0	No	Yes	Enterprise	Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.16.0	No	Yes	All	Duplicate unseal/seal wrap HSM keys
1.16.0	1.16.1	Upgrade	All	Error logging in with LDAP auth method
1.16.0	1.16.1	Upgrade	All	Error logging in with LDAP auth method when anonymous group search is enabled
1.16.0	No	Yes	All	Existing clusters do not show the current Vault version in UI by default
1.16.0	No	Yes	Enterprise	Manual entity merges sent to a PR secondary cluster are not persisted to storage
1.16.0	1.16.4	Yes	All	New nodes added by autopilot upgrades provisioned with the wrong version
1.16.0	1.16.3	Yes	Enterprise	Performance Standbys revert to Standby mode on unseal
1.16.0	No	Yes	All	PKI OCSP GET requests can return HTTP redirect responses
1.16.0	1.16.6	Yes	Enterprise	Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.16.0	No	Yes	All	Sending SIGHUP to vault standby node causes panic
1.16.0	No	Upgrade	All	Unwanted secret rotation for DB and LDAP roles on restart
1.16.1	1.16.2	Yes	All	Error configuring the JWT auth method
1.16.16	No	No	All	Authorization failure with Azure federated identity credentials
1.16.16	1.16.20	Upgrade	All	Unexpected DB static role rotations on upgrade
1.16.16	1.16.20	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.16.3	1.16.6	Yes	All	JWT auth login requires bound audiences on the role
1.16.3	1.16.7	Upgrade	Enterprise	Vault standby nodes not deleting removed entity-aliases from in-memory database
1.16.7	1.16.9	Upgrade	All	Client tokens and token accessors audited in plaintext