RATATOSKRATATOSK
Sign in

SPIRE

v1.15.2Security
Jul 9, 2026

SPIRE v1.15.2 is a mixed release addressing security concerns through docker/docker to moby/moby migration (resolving CVEs) and a HIGH-severity delegated identity API restriction preventing JWT-SVID exposure for admin or downstream entries. The release also introduces the SPIFFE Broker, per-caller rate limiting, TLS metrics endpoint support, and numerous performance and compatibility improvements across multiple attestors and plugins.

  • securityResolve docker/docker CVEs via moby/moby migration

    docker/docker dependencies have been migrated to moby/moby equivalents to resolve Docker/Moby CVEs. Upgrade to v1.15.2.

  • breakingDelegated API no longer serves JWT-SVIDs for admin/downstream entries

    The delegated identity API no longer serves JWT-SVIDs for admin or downstream entries. If you use the delegated identity API with admin or downstream entries, verify that clients no longer depend on JWT-SVID tokens from those entry types.

Key changes (7)

  • Security: docker/docker migrated to moby/moby to resolve CVEs
  • Security: Delegated identity API restricted—no longer serves JWT-SVIDs for admin or downstream entries
  • Enhancement: Per-caller rate limiting for agent Workload API and Envoy SDS
  • Enhancement: TLS support for Prometheus metrics endpoint with optional SPIFFE ID allowlist
  • Enhancement: SPIFFE Broker endpoint and API introduced
  • Performance: Attested nodes now fetched in bulk; optimized MySQL list entries query for reduced database load
  • Plus 16 additional features, fixes, and improvements: post-quantum cryptography curves, aws_kms tag-based discovery, azure_imds fixes, CA journal durability, structured logging, Windows SE_DEBUG_PRIVILEGE support, and more