RATATOSKRATATOSK
Sign in

SPIRE

v1.14.7Security
May 29, 2026

v1.14.7 patches a critical azure_imds node attestor vulnerability that allowed forged VM identity during node attestation. Mandatory upgrade for any Azure IMDS users.

  • securityUpgrade immediately if using azure_imds node attestor

    The azure_imds node attestor had a certificate validation bug: it anchored the PKCS7 certificate bag's first cert to Azure roots, but verified the signature against a separate signer cert from SignerInfo. An attacker could slip a real Azure cert into the bag alongside content signed by an unrelated cert, getting a forged node attestation accepted. If you use Azure IMDS node attestation, treat this as a mandatory upgrade — an attacker with network access could impersonate arbitrary Azure VMs during node attestation.

  • enhancementDependency updates bundled in this release

    golang.org/x/net, golang.org/x/crypto, and go-jose/v4 are all updated alongside Go 1.26.3 toolchain. These dependency updates are routine but include security fixes in the upstream packages. No action needed beyond upgrading SPIRE.

Key changes (4)

  • Critical fix in azure_imds server node attestor: PKCS7 certificate chain validation was decoupled from signature verification, enabling forged node attestation
  • Go toolchain updated to 1.26.3
  • golang.org/x/net bumped to v0.55.0, golang.org/x/crypto to v0.52.0
  • go-jose/v4 updated to v4.1.4