RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Rook

Storage & DataTodayJul 8, 2026

Rook v1.20.2 is a routine patch that tightens mgr network policy to ingress-only and bumps Ceph to v20.2.2 and ceph-csi-operator to v1.0.4, alongside several bug fixes and minor enhancements. No CVEs or breaking API changes are included.

  • securitymgr NetworkPolicy tightened to ingress-only

    The mgr NetworkPolicy is now restricted to ingress-only traffic. If you have custom NetworkPolicy rules that rely on mgr egress paths being open by default, review and adjust your network policies after upgrading to v1.20.2.

  • enhancementCeph bumped to v20.2.2, ceph-csi-operator to v1.0.4

    The default Ceph image is updated to v20.2.2 and ceph-csi-operator to v1.0.4. Test these versions in staging if your deployment pins Ceph or CSI operator images explicitly.

Key changes (7)
  • mgr NetworkPolicy restricted to ingress-only, closing previously open egress paths (medium severity)
  • Ceph default version updated to v20.2.2
  • ceph-csi-operator updated to v1.0.4
  • Node watcher now triggers reconciliation on label or annotation changes, improving dynamic node handling
  • VolumeAttachment resources are correctly removed during unmount in external clusters, preventing stale state
  • Mon reschedule floating time reduced for faster failover; node watcher skipped during initial cache sync to suppress spurious reconcile loops at startup
  • Smaller fixes: OSD raw-activate path no longer scans rbd devices incorrectly, config overrides now end with a trailing newline, object store realm access keys generated as URL-safe strings; new API for muting Ceph warnings added
Source

Artifact Hub

CI/CD & App DeliveryYesterdayJul 7, 2026

Artifact Hub v1.23.0 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Flux

CI/CD & App DeliveryYesterdayJul 7, 2026

Flux v2.9.1 is a patch release fixing a CRD schema corruption bug where post-build variable substitution could rewrite Flux's own CRD definitions, plus smaller fixes for SOPS .ini decryption and a dry-run strategic merge patch error. No new breaking changes or CVEs are disclosed.

  • breakingCRD schema corruption from variable substitution fixed

    If you run Kustomizations with post-build variable substitution enabled and your manifests contain ${...} sequences that happen to match Flux CRD schema fields, earlier versions could corrupt the CRD schemas. v2.9.1 fixes this by annotating Flux's own CRDs with kustomize.toolkit.fluxcd.io/substitute: disabled, so substitution no longer touches them. Upgrade if you use post-build substitution.

Key changes (4)
  • Fixed CRD schema corruption: Flux's own CRDs are now annotated kustomize.toolkit.fluxcd.io/substitute: disabled to stop post-build substitution from rewriting their schemas
  • Fixed SOPS .ini file decryption
  • Fixed a dry-run error in strategic merge patch handling
  • No new breaking changes, deprecations, or CVEs disclosed
Source

OpenTelemetry

ObservabilityYesterdayJul 7, 2026

OpenTelemetry Collector v0.156.0 is a bugfix rollup with one operator-relevant behavior change: the memory_limiter processor switches from continuous forced GC to exponential backoff, with the cap exposed via two new config fields. Several targeted fixes address permanent-error handling in otlp_http, receiver startup ordering, env var nil resolution, and retry config validation.

  • enhancementmemory_limiter GC backoff now configurable via two new fields

    The memory_limiter processor now backs off GC calls exponentially when GC is deemed ineffective (soft limit still exceeded and less than 5% memory reclaimed). The backoff cap is controlled by max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited, both defaulting to 30s. If you tune GC aggressiveness, review these new fields; the default behavior changes from continuous forced GC to capped backoff.

Key changes (7)
  • memory_limiter processor: forced GC now uses exponential backoff when ineffective, capped by new fields max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited (default 30s each)
  • otlp_http exporter: parse errors on truncated 2xx response bodies are now permanent errors, preventing duplicate exports on retry
  • pkg/service: receivers now start only after all other components have fully initialized, fixing a race with shared-implementation receivers like OTLP
  • env provider: an unset variable with ${env:VAR:-} syntax now resolves to empty string instead of nil
  • configretry BackOffConfig fields validated regardless of the Enabled flag
  • memory_limiter processor now emits componentstatus health events reflecting its current state
  • mdatagen enhancements: stability levels for resource attributes, semantic convention references, field_name option in go_struct, enum validator support, and distinct named Go types for primitive exported config schemas
Source

OpenKruise

CI/CD & App DeliveryJul 4, 2026

OpenKruise v1.9.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Lima

Kubernetes CoreJul 3, 2026

Lima v2.1.4 is a routine patch release with a handful of cherry-picked bug fixes, a nerdctl bump, and small CLI/template improvements. No breaking changes, security fixes, or deprecations are included.

Key changes (5)
  • Bugfix: xorrisofs flag now only added to the xorrisofs command
  • Bugfix: QEMU falls back from hvf to tcg on macOS when hvf is unavailable
  • Dependency: nerdctl bumped from v2.3.3 to v2.3.4
  • Templates updated, freebsd-15 now supports 9p mounts
  • Enhancement: limactl network list --json now includes the network name
Source

Open Policy Agent (OPA)

SecurityJul 2, 2026

OPA v1.18.2 is a routine patch that restores the original newline-preservation behavior in `opa fmt`. Policies that were already correctly formatted will no longer be rewritten when the formatter runs.

Key changes (1)
  • Fixes a regression in `opa fmt` (introduced in v1.18.0) where single-item collections (arrays, objects, sets) were always expanded onto multiple lines regardless of the source formatting, causing spurious diffs on already-formatted policies
Source

wasmCloud

Orchestration & ManagementJul 2, 2026

wasmCloud v2.5.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.35.5 is a routine patch with two bug fixes: ImageRef now stays consistent across restarts, and the gomaxprocs hook calculation has been adjusted to reduce potential scheduler throttling. No breaking changes, security advisories, or API modifications are included.

Key changes (2)
  • Fixed ImageRef inconsistency in container status after CRI-O restart (repo@digest reverted to raw image ID hash)
  • Updated gomaxprocs hook to ignore workload partitioning during injection decisions, and set a floor of double the requested CPUs to reduce Go scheduler throttling
Source

gRPC

Networking & MessagingJul 2, 2026

gRPC 1.82.0 is a routine release with incremental Core, PHP, Python, and Ruby fixes and no security issues or breaking changes. Highlights are two xDS protocol additions (A85 ORCA-to-LRS, A114 weighted round robin) alongside a batch of smaller bug fixes.

Key changes (8)
  • No CVEs, breaking API removals, or deprecations in this release
  • xDS gains ORCA-to-LRS propagation (gRFC A85) and weighted round robin support for custom backend metrics (A114)
  • Call credentials can now look up and attach regional access boundary policy metadata
  • Python aio fixes: 100% CPU loop under the -O flag, and calls now cancel without closing channels in fork children
  • Ruby adds pure Ruby call credentials and fixes interceptors to run in FIFO order as intended
  • POSIX socket fix: file descriptor 0 was wrongly treated as invalid; CFStream callbacks now unregister on endpoint shutdown
  • PHP extension backport adds PIE support; Python gains Pyright/Typeguard type-checking on aio call and metadata modules
  • Plus a RetryFilter fix avoiding a spurious abseil nullopt assertion
Source

Harbor

Storage & DataJul 2, 2026

Harbor v2.15.2 is a maintenance patch backporting fixes from 2.15.0, with the most operator-visible change being the replacement of Redis with Valkey as the cache backend. It also hardens blob-mount token validation, cleans up crypto and SMTP dependencies, and delivers a large set of UI/UX fixes following the Angular 21 and Clarity v18 upgrade.

Key changes (7)
  • Cache backend replaced: Redis swapped out for Valkey (affects deployment configs referencing Redis)
  • Security: blob-mount token validation now rejects tokens missing iat and validates source project (medium severity)
  • Security: crypto usage hardened; unused SMTP package removed (low severity)
  • Harbor UI upgraded to Angular 21, Clarity v18, Node.js v22, with numerous UI/UX fixes (checkboxes, dark theme, i18n, form styling, pull command tag selection)
  • YAML library replaced: gopkg.in/yaml.v2 swapped for github.com/goccy/go-yaml
  • Registry image pinned to stable tag v2.8.3-harbor.1 (previously rc.5)
  • repository update_time now bumps correctly on tag and artifact changes; Cosign tlog verification adjusted
Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.36.2 is a routine patch that fixes how the gomaxprocs hook calculates CPU allocation, avoiding under-provisioning that could throttle the Go scheduler. No security fixes or breaking changes are included.

Key changes (2)
  • gomaxprocs hook no longer factors in workload partitioning when deciding whether to inject
  • CPU allocation recalculated so containers get at least double the requested CPU count, reducing Go scheduler throttling
Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.34.10 is a routine bugfix patch with two fixes: a correction to gomaxprocs CPU injection logic and a container status ImageRef format regression after restart. No security, API, or configuration changes are included.

Key changes (3)
  • gomaxprocs hook updated to ignore workload partitioning when deciding whether to inject CPU settings
  • gomaxprocs calculation now guarantees containers receive at least double the requested CPU count, reducing Go scheduler throttling risk
  • Fixed container status ImageRef inconsistency where the value changed from repo@digest format to a raw image ID hash after CRI-O restart
Source

etcd

Kubernetes CoreJul 2, 2026

etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.

  • securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)

    Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.

Key changes (3)
  • Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
  • Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
  • Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check
Source

etcd

Kubernetes CoreJul 2, 2026

etcd v3.5.32 is a security release patching a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener when --listen-client-http-urls is set. It also adds a v2-deprecation bypass option and several bug fixes.

  • securityCRL enforcement bypass on gRPC listener (GHSA-3wh4-j44w-pg92)

    When --listen-client-http-urls is configured, the CRL was not enforced on the gRPC listener, allowing revoked certificates through. Upgrade to v3.5.32 if you use this flag with mTLS and a certificate revocation list.

Key changes (6)
  • Security (HIGH): CRL enforcement bypass on gRPC listener fixed when --listen-client-http-urls is configured (GHSA-3wh4-j44w-pg92)
  • New write-only-skip-check option for the --v2-deprecation flag to bypass the v2 content check
  • Server now accepts non-admin maintenance status requests
  • etcdutl check v2store now inspects both v2 snapshot and WAL records
  • Websocket authentication fixed for bearer-prefixed auth tokens
  • JWT token content no longer logged when token parsing fails
Source

Prometheus

ObservabilityJul 1, 2026

Prometheus v3.13.0 is an LTS release leading with a HIGH-severity credential-forwarding fix (CVE-2025-4673, CVE-2023-45289) and a MEDIUM XSS fix (CVE-2026-44990), alongside four breaking changes to pagination tokens, path resolution, PromQL duration function names, and license file packaging, plus a broad set of new features and performance improvements.

  • securityHIGH: Credentials no longer forwarded on cross-host redirects

    Credentials (Authorization header, basic auth, bearer token, OAuth2, and configured headers) are no longer forwarded when following a redirect to a different host. This affects scraping, remote read/write, alerting, and service discovery where credentials are configured and cross-host redirects occur. Tracked as CVE-2025-4673 and CVE-2023-45289; driven by upgrading prometheus/common from v0.68.x to v0.69.0. Review any targets or endpoints that rely on redirects, as credentials will now be dropped silently on host change.

  • securityMEDIUM: XSS fix in UI dependency (CVE-2026-44990)

    sanitize-html was bumped to fix a cross-site scripting vulnerability (CVE-2026-44990) in the Prometheus UI. No configuration change needed; upgrade to v3.13.0.

  • breakingPagination token algorithm changed from SHA-1 to SHA-256

    Rule group pagination tokens now use SHA-256 instead of SHA-1. Any client or tooling that stores or compares pagination tokens across versions will see different token values after upgrade.

  • breaking--http.config.file relative path resolution changed

    Relative file paths inside the file passed to --http.config.file are now resolved relative to that config file's own directory, not its parent directory. If you use relative paths in that config, verify they still resolve correctly after upgrading.

  • breakingDuration-expression functions min()/max() renamed to min_of()/max_of()

    If you use the experimental-duration-expr feature flag, the PromQL duration functions min() and max() have been renamed to min_of() and max_of(). Update any queries or rules that use the old names.

  • breakingnpm_licenses.tar.bz2 removed; licenses now at /assets/third-party-licenses.txt

    npm_licenses.tar.bz2 is no longer shipped in release tarballs or container images. Third-party npm license text is now embedded in the binary and served at /assets/third-party-licenses.txt. Any automation that extracted that archive needs updating.

Key changes (8)
  • HIGH security fix: credentials (auth headers, bearer token, OAuth2, basic auth) dropped on cross-host redirects, fixing CVE-2025-4673 and CVE-2023-45289 via prometheus/common v0.69.0
  • MEDIUM security fix: sanitize-html bumped to patch XSS vulnerability CVE-2026-44990 in the UI
  • Breaking: rule group pagination tokens now SHA-256; stored tokens from older versions will differ
  • Breaking: --http.config.file relative paths now resolved relative to the config file's directory, not its parent
  • Breaking: duration-expression functions min()/max() renamed to min_of()/max_of() (experimental-duration-expr flag only)
  • Breaking: npm_licenses.tar.bz2 removed from tarballs/images; licenses served from /assets/third-party-licenses.txt in the binary
  • New experimental API search endpoints for metric names, label names, and label values; AWS RDS filtering; Scaleway VPC/IPAM-only instance support; native histogram smoothed/anchored rate; per-query samplesRead stats; Azure Monitor Workspace certificate support; container images on ghcr.io
  • Performance: case-insensitive prefix matching up to ~2x faster; per-sample chunk overhead down ~12-15%; V2 histogram WAL decoder allocations cut up to 50% (up to 10% memory reduction for native-histogram deployments with created-timestamp storage); plus multiple PromQL panic and TSDB corruption fixes
Source

Longhorn

Storage & DataJul 1, 2026

Longhorn v1.11.3 is a bugfix rollup addressing over a dozen stability issues across volume operations, backups, and instance management. One upgrade prerequisite applies: the CSI external provisioner is now v6.3.0, requiring Kubernetes v1.34 or later when upgrading from v1.10.x or v1.11.0.

  • breakingKubernetes v1.34+ required when upgrading from v1.10.x or v1.11.0

    The bundled CSI external provisioner is bumped to v6.3.0, which requires Kubernetes v1.34 or later. If your cluster runs an older Kubernetes version and you are upgrading from Longhorn v1.10.x or v1.11.0, bring Kubernetes to v1.34+ first before applying this upgrade.

Key changes (7)
  • CSI external provisioner bumped to v6.3.0: clusters must run Kubernetes v1.34+ before upgrading from v1.10.x or v1.11.0
  • Fixed iscsid restarts leaving V1 volumes inoperable, blocking PVC resize and other volume operations
  • Fixed nil pointer dereference panic in longhorn-instance-manager during replica rebuild
  • Fixed deadlock causing recurring trim jobs to fail, and separate fixes for volume expansion getting stuck
  • Fixed migration engine being deleted while target node was still transitioning to ready
  • Fixed backup uploads to S3 failing on NetApp appliances, and fixed System Backup RecurringJob incorrectly pruning the newest CR
  • Fixed longhorn-manager panic in BackupController during backup deletion, plus HTTP response body leaks in support bundle and webhook polling; reduced webhook TLS Secret contention at scale
Source

Istio

Networking & MessagingJul 1, 2026

Istio 1.28.10 is a routine patch release with a single bug fix: a memory leak in the krt controller framework that accumulated stale reverse-index entries whenever a Fetch filter key changed.

Key changes (1)
  • Fixed a memory leak in the krt controller where changing a Fetch filter key (e.g., relabeling a pod to a different waypoint) left stale reverse-index entries, causing unbounded memory growth and unnecessary recomputations over time
Source

wasmCloud

Orchestration & ManagementJul 1, 2026

wasmCloud v2.5.0 is a feature release centered on the wasmtime 46 upgrade with wasip3 enabled by default, alongside a breaking change to the keyvalue bucket WIT interface and a medium-severity quinn-proto security fix. The rest of the release adds new async keyvalue/blobstore interfaces, operator hardening, and various runtime and tooling fixes.

  • securityquinn-proto security fix (RUSTSEC-2026-0185)

    Applies if you build or update wasmCloud from source or run dependency scans: quinn-proto is patched for RUSTSEC-2026-0185 (medium) in this release. Upgrade to pick up the fix; no application code changes needed.

  • breakingkeyvalue bucket moved to shared types interface

    Applies if any component uses the wasmcloud:keyvalue interface: the bucket type moved out of the inline interface definition into a shared types interface. Components and providers built against the old wasmcloud:keyvalue WIT must update their bindings and regenerate code before upgrading.

  • breakingwasmtime 46 with wasip3 enabled by default

    Applies to all components running on this runtime: wasmtime is now 46 and wasip3 support is on by default. Test existing components against the new runtime before rolling out broadly, especially anything sensitive to wasip3 behavior changes.

Key changes (7)
  • Runtime upgraded to wasmtime 46 with wasip3 enabled by default, plus new wasip3 cross-component streaming via a dynamic linker
  • Breaking WIT change: wasmcloud:keyvalue bucket now shared via a types interface instead of being defined inline per interface
  • Security fix for RUSTSEC-2026-0185 in quinn-proto (medium severity)
  • New async wasmcloud:keyvalue and wasmcloud:blobstore WIT interfaces added; wasi:keyvalue, wasmcloud:postgres, and wasmcloud:messaging/consumer can now be multiplexed via (implements ..) imports
  • End-to-end operator implementation added, with the runtime-operator Helm chart linted and hardened, and operator caching fixed to use server-side apply correctly
  • wash-runtime engine config is now composable via WasmProposal, surfaced to CLI and chart; wash-runtime also fixes P3 HTTP response streaming and gRPC body cleanup on timeout
  • Several smaller fixes and tooling improvements: WIT validation for package-level refs and version-specifier removal, wash new path handling on Windows, multiline world declarations in wash wit add, ephemeral task cleanup via AbortOnDrop, and CI updates (CARGO_NET_RETRY, s390x builds, namespaced OCI WIT publishing)
Source

Flux

CI/CD & App DeliveryJul 1, 2026

Flux v2.9.0 is a feature release adding capabilities across most controllers, with one breaking change: the end-of-life image.toolkit.fluxcd.io/v1beta2 and notification.toolkit.fluxcd.io/v1beta2 APIs have been removed from the CRDs.

  • breakingv1beta2 image and notification APIs removed

    Applies to any cluster still running resources on image.toolkit.fluxcd.io/v1beta2 or notification.toolkit.fluxcd.io/v1beta2. Both APIs have reached end-of-life and were dropped from the CRDs in v2.9.0. Migrate ImagePolicy, ImageRepository, ImageUpdateAutomation, Alert, Provider, and Receiver resources to their current API version before upgrading, or the controllers will fail to reconcile them.

Key changes (8)
  • Breaking: image.toolkit.fluxcd.io/v1beta2 and notification.toolkit.fluxcd.io/v1beta2 are end-of-life and removed from the CRDs; migrate affected resources before upgrading.
  • New Flux CLI Plugin System (`flux plugin`) with Mirror and Schema plugins.
  • Kustomization gains Server-Side Apply field ignore rules for finer drift control, and SOPS decryption via the Age post-quantum cipher.
  • New Workload Identity authentication paths: OpenBao/Vault in Kustomization, and AWS CodeCommit in GitRepository.
  • HelmRelease adds post-render strategies (including chart hooks) and a literal mode for values matching `helm --set-literal`.
  • Git commit signing/verification with SSH keys added for GitRepository and ImageUpdateAutomation; OCIRepository supports custom Sigstore trusted roots for air-gapped keyless verification.
  • Secret-less, OIDC-secured webhook Receivers added, plus path pattern directory discovery for monorepos in ArtifactGenerator.
  • Component controllers bumped (source-controller v1.9.1, kustomize-controller v1.9.1, notification-controller v1.9.1, helm-controller v1.6.1, image-reflector/automation-controller v1.2.1); CLI now builds against Kubernetes 1.36 and Go 1.26, plus assorted CLI additions and small bugfixes.
Source

Kubescape

SecurityJun 30, 2026

Kubescape v4.0.10 is a feature and hardening release: it closes an SSRF gap in the scan-completion webhook, tightens config.json permissions and validation, and removes a dead CRD, alongside a large batch of bug fixes and new capabilities like `operator remediate` and encrypted report decryption. No CVE-tracked vulnerabilities are disclosed in this release.

  • securitySSRF hardening on scan-completion webhook

    The scan-completion webhook callback now hardens against SSRF. Applies to users of the webhook callback feature; upgrade if you rely on it to avoid outbound requests being abused via crafted callback URLs.

  • breakingconfig.json permissions restricted to owner-only

    config.json is now written with owner-only permissions instead of broader access. Applies unconditionally; review any tooling or automation that reads this file as a different user, since it may now fail to access it.

  • breakingRemoval of orphan SecurityException CRD

    The orphan SecurityException CRD, which was never installable, has been removed. Applies only if you had references to this CRD in manifests or docs; it has no functional impact since it never worked.

  • enhancementStricter validation on --format and VAP controls

    The --format flag now rejects invalid values before a scan starts, and VAP configurable controls now require params. Applies if you script scans with an unchecked --format value or run VAP controls without required params; these calls will now fail fast instead of proceeding silently.

Key changes (8)
  • SSRF-hardened scan-completion webhook callback closes a request-forgery gap in outbound notifications.
  • config.json permissions tightened to owner-only, changing default file access for existing installs.
  • Orphan, uninstallable SecurityException CRD removed along with its test.
  • Validation tightened in two spots: --format now rejects invalid values pre-scan, and VAP configurable controls require params.
  • New `operator remediate` CLI subcommand (annotate and dry-run modes), CEL env builder/evaluator for the VAP engine, and encrypted report decryption with DEK wrapping.
  • New scan coverage score metric penalizing silent failed GVR pulls, plus per-control evaluation timeouts in the OPA processor (timed-out controls score 0 and discard partial results).
  • Several panic fixes (nil ScanData, image names without an organization, scan execution goroutine) plus HTTP timeouts on the scan listener server.
  • Plus roughly ten smaller fixes: resource deduplication, host-sensor infoMap merging, SARIF line resolution, output overwrite prevention, orphaned RoleBinding handling, and a Go 1.26 codebase update.
Source

Karmada

Orchestration & ManagementJun 30, 2026

Karmada v1.18.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Karmada

Orchestration & ManagementJun 30, 2026

Karmada v1.17.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Karmada

Orchestration & ManagementJun 30, 2026

Karmada v1.16.7 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

KubeVela

CI/CD & App DeliveryJun 30, 2026

KubeVela v1.10.9 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

KubeVela

CI/CD & App DeliveryJun 30, 2026

KubeVela v1.9.14 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFGA

SecurityJun 30, 2026

v1.18.1 is a routine patch that fixes CIDR matching behavior and serialization determinism while extending an experimental flag to BatchCheck. No breaking changes or CVEs are reported, though the in_cidr fix does change matching behavior for IPv4-mapped IPv6 addresses.

  • breakingin_cidr now matches IPv4-mapped IPv6 addresses against IPv4 CIDRs

    Applies unconditionally: the in_cidr condition now normalizes IPv4-mapped IPv6 addresses (e.g. ::ffff:192.168.1.1) to their IPv4 form before matching, so they can now match IPv4 CIDRs like 192.168.1.0/24. Review any authorization models relying on in_cidr if you expect these addresses to be excluded from IPv4 ranges.

Key changes (4)
  • in_cidr condition now normalizes IPv4-mapped IPv6 addresses (RFC 4291 §2.5.5.2) to their IPv4 equivalent, so ::ffff:192.168.1.1 matches 192.168.1.0/24
  • Adds diagnostic logging in weighted_graph_check, Expand, and ListUsers to flag models where a future v2 Check resolution might diverge from v1; no operator action required now
  • Experimental weighted_graph_check flag now extends to BatchCheck, evaluating each item with the weighted graph algorithm and falling back per-item to the standard algorithm on non-terminal errors
  • Authorization model serialization to serialized_protobuf now uses deterministic proto marshaling, fixing inconsistent stored bytes for models with map-keyed type definitions
Source

NATS

Networking & MessagingJun 30, 2026

NATS server v2.14.3 is a maintenance release dominated by JetStream, MQTT and clustering bug fixes, with two MQTT fixes closing pre-auth memory exhaustion and panic conditions and one breaking change: JSONP monitoring support has been removed.

  • securityMQTT memory exhaustion and panic fixes

    Applies to servers exposing MQTT. Fixed in v2.14.3: malformed partial CONNECT packets could exhaust pre-auth memory, and a PUBLISH remaining-length underflow could panic the server. Upgrade if you run MQTT, especially with untrusted or public clients.

  • breakingJSONP monitoring support removed

    Applies to deployments relying on JSONP callbacks against monitoring endpoints (e.g. /varz, /connz via callback= param). This is removed in v2.14.3; switch dashboards or scripts to plain JSON polling before upgrading.

  • breakingPermission checks tightened for leaf trace destination and NoAuthUser

    Applies to leaf node setups using Nats-Trace-Dest, and to accounts using NoAuthUser. Fixed in v2.14.3: leaf connections could bypass Nats-Trace-Dest publish permission checks, and NoAuthUser did not enforce connection restrictions. Review permission and NoAuthUser configs after upgrading, since previously permitted traffic may now be denied as intended.

Key changes (7)
  • MQTT fixes for partial CONNECT pre-auth memory exhaustion and a PUBLISH remaining-length underflow panic, both fixed in v2.14.3
  • Permission enforcement tightened: leaf connections no longer bypass Nats-Trace-Dest checks, and NoAuthUser now honors connection restrictions
  • JSONP callback support removed from monitoring endpoints (breaking for any tooling still using it)
  • Large JetStream clustering/Raft reliability batch: meta node data race on shutdown, stream catchup no longer skipped past limits, phantom streams/consumers after meta recovery, Raft membership revert on truncate/snapshot, and related consistency fixes
  • MQTT hardening: rejects subscriptions to internal $MQTT.deliver.pubrel, enforces subscribe deny rules on retained/QoS replay paths, and fixes a WebSocket /mqtt upgrade panic when MQTT is disabled
  • Filestore and memory store corrections: compaction no longer corrupts compressed/encrypted blocks, NumPending overcount fixed for DeliverLastPerSubject, counter stream staging total no longer corrupts
  • Plus roughly two dozen smaller fixes: PROXY/TLS sniffing, gateway CONNECT race, service import tracing across routes, CONNZ/SUBSZ overflow guards, JWT/account claims refresh, and Go updated to 1.26.4
Source

NATS

Networking & MessagingJun 30, 2026

v2.12.12 is a bugfix and hardening release for nats-server, centered on numerous JetStream/Raft data-integrity and panic fixes plus removal of JSONP support from monitoring endpoints. No CVEs are disclosed, but several fixes close memory-exhaustion and panic paths reachable via malformed MQTT input that operators should treat as security-relevant.

  • securityMQTT partial-CONNECT and PUBLISH-underflow crash/DoS fixes

    If you run MQTT, upgrade to fix two memory-exhaustion/panic paths: partial CONNECT packets could exhaust pre-authentication memory, and PUBLISH remaining-length underflow could panic the server. Both are exploitable by unauthenticated clients sending malformed input.

  • securityInteger-overflow panics fixed in monitoring and JetStream usage tracking

    CONNZ/SUBSZ pagination previously could panic on integer overflow, and JetStream remote usage updates could panic on length integer overflow. Operators with large clusters or heavy monitoring polling should upgrade to remove these panic-inducing edge cases.

  • breakingJSONP support removed from monitoring endpoints

    JSONP callback support has been removed from monitoring endpoints in v2.12.12, unconditionally. Any tooling or dashboards that rely on JSONP callbacks against /varz, /connz, or similar endpoints will break and must switch to plain JSON requests.

Key changes (8)
  • JSONP callback support removed from monitoring endpoints (breaking for any tooling still using it)
  • MQTT hardening: partial CONNECT no longer exhausts pre-auth memory, PUBLISH remaining-length underflow no longer panics the server, plus fixes for $MQTT.deliver.pubrel subscription abuse, deny-rule enforcement on retained/QoS replay, and a WebSocket /mqtt upgrade panic when MQTT is disabled
  • Large batch of JetStream/Raft data-integrity fixes: filestore compaction corruption, counter stream staging corruption, meta recovery phantom streams/consumers, raft checkpoint/ApplyCommit correctness, stream catchup desync, and membership revert on truncate/snapshot
  • Panic and integer-overflow fixes in CONNZ/SUBSZ pagination, JetStream remote usage updates, and a nil-pointer panic on startup when the resolver parent directory is missing
  • Multiple panic, fatal-error, and data-race fixes across authentication, routing, monitoring, and clustered request handling
  • Gateway/proxy fixes: race in gateway CONNECT handling, leak in trusted proxy tracking, PROXY protocol detection, TLS sniffing with allow_non_tls, and PROXY v1 address-family parsing
  • Service import replies now deliver across cluster routes, and message tracing works correctly with imports/exports; JWT inherited default permissions and external auth config now refresh correctly on account claim updates
  • Plus routine fixes: quieter per-connection logging, consistent writer options under s2_fast compression, and refactored stream/consumer assignment handling for migrations
Source

Strimzi

Networking & MessagingJun 27, 2026

Strimzi 1.1.0 is a feature release adding Kafka 4.3.0 and 4.2.1 support while dropping Kafka 4.1.x, along with several capability additions. Operators should act on two breaking changes before upgrading: the entity-operator healthcheck port renames and the TLS truststore format switch in KafkaBridge and KafkaMirrorMaker2.

  • breakingEntity-operator healthcheck ports renamed

    The entity-operator healthcheck port `healthcheck` has been renamed to `healthcheck-to` (topic-operator) and `healthcheck-uo` (user-operator). Any custom PodMonitor, ServiceMonitor, NetworkPolicy, or similar resources that reference the old port name must be updated before or immediately after upgrading.

  • breakingKafka 4.1.x support removed

    Kafka 4.1.x is no longer supported in 1.1.0. Clusters running Kafka 4.1.x must be upgraded to 4.2.1 or 4.3.0 before moving to this Strimzi version.

  • breakingTLS truststore format changed to PEM for KafkaBridge and KafkaMirrorMaker2

    KafkaBridge and KafkaMirrorMaker2 now use PEM files instead of P12/JKS for TLS authentication and truststore. Review any tooling or external systems that expect P12/JKS formats from these components.

  • breakingCRD v1 only — older API versions unsupported

    CRD API versions v1beta2, v1beta1, and v1alpha1 are not supported since 1.0.0. If you have not already converted your resources to v1, do so before upgrading to 1.1.0.

Key changes (8)
  • Adds support for Apache Kafka 4.3.0 and 4.2.1; Kafka 4.1.x is removed and no longer supported.
  • Entity-operator healthcheck port names renamed: `healthcheck` is now `healthcheck-to` for the topic-operator and `healthcheck-uo` for the user-operator; update any referencing resources.
  • KafkaBridge and KafkaMirrorMaker2 switch from P12/JKS to PEM for TLS authentication and truststores, with PEM files read directly from secrets via KubernetesSecretConfigProvider.
  • Failed KafkaConnectors can now be stopped; pausing a failed connector is rejected because Kafka Connect does not support that operation.
  • New cluster operator option `STRIMZI_PKCS12_KEYSTORE_GENERATION` disables PKCS12 store generation in CA and KafkaUser Secret resources; mTLS `validityDays` and `renewalDays` are now configurable per KafkaUser.
  • Gateway API `tlsroute` listener type, per-broker listener annotation/label templates, and dependency scope configuration for Maven artifacts in Kafka Connect Build are all now supported.
  • Adds `UseBackgroundPodDeletion` feature gate (alpha, disabled by default) to use background deletion propagation when deleting pods during rolling updates.
  • Strimzi Drain Cleaner updated to 1.6.0 and Strimzi Access Operator updated to 0.3.0, both included in the installation files.
Source

Volcano

Orchestration & ManagementJun 27, 2026

Volcano v1.14.3 is a routine patch release consisting entirely of backported scheduler bug fixes. No new features, deprecations, or security changes are included.

Key changes (7)
  • Network-Topology-Aware scheduling soft mode corrected for jobs and subjobs
  • Scalar in-queue resource accounting now uses milli-units, fixing precision errors in resource calculations
  • HAMi vGPU scheduling failures in medium and large clusters resolved
  • Ascend vNPU health check switched to Allocatable resources instead of the previous method
  • Preemption now reprievess higher-priority pods first, restoring correct ordering
  • job.Status.Conditions unbounded growth prevented, reducing memory and etcd pressure on long-running jobs
  • Several smaller scheduler fixes: device annotation cleanup on pod release, minAvailable fallback to replicas when minPartitions is omitted, ImageStates restored in node snapshots, and maxFloat/maxInt display corrections
Source

Keycloak

SecurityJun 27, 2026

Keycloak 26.6.4 is a security release fixing eight CVEs, including two critical issues (privilege escalation and JWT authentication bypass) and four high-severity authorization bypasses. Operators should upgrade promptly; the release also bumps Quarkus to 3.33.2.1.

  • securityTwo critical vulnerabilities: group-admin escalation and JWT auth bypass

    CVE-2026-9099 lets a group admin escalate to realm-admin, and CVE-2026-11800 allows authentication bypass via JWT algorithm confusion. Both are rated critical. Upgrade to 26.6.4 as soon as possible.

  • securityFour high-severity authorization and access-control bypasses

    CVE-2026-9705 (client takeover via registration access token), CVE-2026-9795 (privilege escalation via scope mapping), CVE-2026-9799 (UMA permission ticket bypass), and CVE-2026-9800 (policy enforcer authorization bypass via incorrect URI comparison) are all rated high. If you use UMA authorization, fine-grained scope mappings, or the Policy Enforcer, prioritize this upgrade.

  • securityTwo medium-severity issues: info disclosure and XSS

    CVE-2026-9083 (filesystem path probing) and CVE-2026-9086 (XSS via case-insensitive URI validation bypass) are rated medium and round out the fix set.

Key changes (5)
  • Eight CVEs fixed in this release, two rated critical: CVE-2026-9099 (group-admin to realm-admin escalation) and CVE-2026-11800 (JWT algorithm confusion auth bypass)
  • Four high-severity fixes: client takeover via registration access token (CVE-2026-9705), scope-mapping privilege escalation (CVE-2026-9795), UMA permission ticket bypass (CVE-2026-9799), and Policy Enforcer authorization bypass via URI comparison (CVE-2026-9800)
  • Two medium-severity fixes: filesystem path probing information disclosure (CVE-2026-9083) and URI validation bypass XSS (CVE-2026-9086)
  • Quarkus dependency bumped to 3.33.2.1
  • Minor build and packaging fixes: Infinispan protoschema build on the 26.2 branch, CI fixes for JS and Admin Client test suites, keycloak-api-docs-dist packaging, plus a migration guide reference correction
Source

Operator Framework

Orchestration & ManagementJun 27, 2026

Operator Framework v1.42.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Backstage

CI/CD & App DeliveryJun 27, 2026

Backstage v1.52.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

metal3-io

Provisioning & RuntimeJun 26, 2026

metal3-io v0.13.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Open Policy Agent (OPA)

SecurityJun 26, 2026

v1.18.0 is a bugfix rollup with one operator-facing behavior change: the outbound User-Agent header is now hyphenated to conform to RFC 9110. The remaining changes are runtime improvements, formatter and coverage tool fixes, and a Go toolchain bump.

  • breakingUser-Agent header format changed (RFC 9110 conformance)

    The outbound User-Agent header OPA sends on HTTP requests changed from 'Open Policy Agent/<version> (<os>, <arch>)' to 'Open-Policy-Agent/<version> (<os>, <arch>)' (hyphen added between 'Open' and 'Policy'). Any server-side log filters, WAF rules, or access policies that exact-match the old string must be updated after upgrading to v1.18.0.

Key changes (7)
  • User-Agent header now uses 'Open-Policy-Agent' (hyphenated) instead of 'Open Policy Agent'; exact-match log filters or WAF rules targeting the old string will break
  • Container-aware resource limits restored and extended: automatic GOMAXPROCS support is back, and automatic GOMEMLIMIT is newly supported
  • Multiple opa fmt correctness fixes: multiline single-entry iterables are preserved, and with-clauses dropped after comments are restored
  • opa test --coverage improvements: ranges now included in the report, inline rule head tracking, and conjunction expression coverage added
  • Fixed partial evaluation regression for future.keywords.not negation inside every blocks, and fixed variable namespacing in comprehensions nested inside every
  • Performance: reduced allocations in object.get, removed a shortcut in topdown dst.Compare(src), and skipped strconv.ParseInt in the format_int base-10 fast path
  • Go bumped from 1.26.3 to 1.26.4; various website and node dependencies also updated
Source

OpenCost

ObservabilityJun 26, 2026

This is a routine patch release for OpenCost, dominated by bug fixes for GPU pricing, data races, and Azure Windows pricing, plus a new STACKIT provider integration. There are no breaking changes, deprecations, or CVE fixes in this release.

Key changes (7)
  • Several data-race and stability fixes: cloudcost Status coverage read is now guarded and the ClusterMap ticker is stopped to prevent leaks, customcost Status() copies its coverage map, and GPUAllocation.Equal now compares pointer field values correctly
  • On-demand pricing is now OS-aware for Azure Windows nodes, correcting pricing calculations that previously used the wrong base rate
  • Custom provider GPU default pricing is fixed, and a nil filter guard was added to prevent a crash
  • Cloud pricing HTTP clients now have timeouts to prevent hangs
  • STACKIT added as a supported cloud provider
  • New queryProjectID field on BigQueryConfiguration, plus GKE Workload Identity Federation support for accessing Provider Pricing Data
  • Smaller items: step parameter exposed in the get_efficiency tool, Bingen 0.1.1 streaming writer support, UI build tooling switched from parcel to react-router/vite, Dockerfile.debug restored for Tilt, and reduced log verbosity for spot price auth failures
Source

cert-manager

SecurityJun 26, 2026

v1.19.6 is a security patch fixing a HIGH severity RBAC privilege escalation in the cert-manager-edit ClusterRole that let users create ACME Challenge and Order resources directly, plus a Go toolchain update closing three CVEs. The RBAC fix includes a documented breaking permission change.

  • securityRBAC privilege escalation via ACME Challenge/Order creation

    Applies to v1.19.6: the default cert-manager-edit aggregate ClusterRole previously let namespace users create ACME Challenge and Order resources directly, bypassing Issuer solver selectors. This is fixed by removing create for challenges.acme.cert-manager.io and create/patch/update for orders.acme.cert-manager.io from that role. Upgrade to v1.19.6 to close this HIGH severity RBAC gap (GHSA-8rvj-mm4h-c258).

  • securityGo toolchain updated to 1.25.11 for three CVEs

    Applies unconditionally in v1.19.6: Go is updated to 1.25.11, fixing CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507. No action needed beyond upgrading.

  • breakingcert-manager-edit ClusterRole loses Challenge/Order create permissions

    If any tooling or workflow creates Challenge or Order resources directly, outside the normal Certificate to CertificateRequest to Order to Challenge flow, it will lose that access after upgrading and needs those permissions granted explicitly.

Key changes (4)
  • HIGH severity RBAC fix (GHSA-8rvj-mm4h-c258): cert-manager-edit ClusterRole allowed users to create ACME Challenge/Order resources directly, bypassing Issuer solver selectors
  • Breaking: cert-manager-edit no longer grants create on challenges.acme.cert-manager.io or create/patch/update on orders.acme.cert-manager.io; direct Challenge/Order tooling needs explicit permissions now
  • Go updated to 1.25.11, fixing CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507
  • Earlier Go bump to 1.25.10 plus other unspecified dependency updates
Source

cert-manager

SecurityJun 26, 2026

v1.20.3 is a security release primarily addressing a HIGH-severity RBAC over-permission (GHSA-8rvj-mm4h-c258) in the cert-manager-edit ClusterRole, and updating Go to v1.26.4 for three CVEs. Operators should audit any workflows that create Challenge or Order resources directly before upgrading, as those permissions are now removed.

  • securityRBAC over-permission in cert-manager-edit ClusterRole (GHSA-8rvj-mm4h-c258)

    GHSA-8rvj-mm4h-c258 (HIGH): the cert-manager-edit aggregate ClusterRole previously allowed namespace users to create Challenge and Order resources directly, bypassing Issuer solver selectors. Fixed in v1.20.3. Upgrade immediately if untrusted namespace users exist in your cluster.

  • securityGo runtime updated to v1.26.4 (3 CVEs)

    Go updated to v1.26.4, patching CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507. No additional configuration is required; upgrading cert-manager picks up the fix.

  • breakingBreaking RBAC change: direct Challenge and Order creation removed from cert-manager-edit

    cert-manager-edit no longer grants create on challenges.acme.cert-manager.io, or create/patch/update on orders.acme.cert-manager.io. If any tooling or CI workflow creates Challenge or Order objects directly (outside the normal Certificate → CertificateRequest → Order → Challenge flow), those calls will fail after upgrading. Review and update any such automation before rolling out v1.20.3.

Key changes (4)
  • HIGH-severity RBAC fix (GHSA-8rvj-mm4h-c258): cert-manager-edit ClusterRole no longer allows direct creation of Challenge or Order resources, closing a path that let namespace users bypass Issuer solver selectors.
  • Breaking RBAC change: create removed for challenges.acme.cert-manager.io; create, patch, and update removed for orders.acme.cert-manager.io from the cert-manager-edit aggregate ClusterRole.
  • Go updated to v1.26.4, fixing three CVEs (CVE-2026-27145, CVE-2026-42504, CVE-2026-42507).
  • Bugfix: the issuer owner reference has been removed from Challenge resources, which was preventing Challenge garbage collection.
Source
Older →