RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Apr 2026Clear ×

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.17.2 is a patch release fixing scheduler misrouting bugs, operator reconciliation failures, and a Job replica assignment error — plus an Alpine base image bump for security.

  • securityRebuild or pull updated images to get the Alpine 3.23.4 base

    The base image was bumped from Alpine 3.23.3 to 3.23.4. If you're running air-gapped or mirrored image setups, make sure to pull and mirror the new v1.17.2 images. Check Alpine's changelog for the specific CVEs addressed if your compliance process requires it.

  • breakingScheduler backoffQ misrouting may have masked real scheduling failures

    Bindings with insufficient cluster replicas were incorrectly queued in backoffQ instead of unschedulableBindings. This means your scheduler may have been retrying workloads on an exponential backoff schedule rather than surfacing them as unschedulable. After upgrading, expect some previously silent failures to become visible in unschedulableBindings — review any workloads that seemed stuck or slow to schedule.

  • enhancementUpgrade if you use karmada-operator with custom tolerations/affinity or multi-cluster Jobs

    Two high-impact fixes landed here: operator-managed deployments were silently ignoring tolerations and affinity configs, which could cause pods to land on unintended nodes. And Job completion counts were being assigned incorrectly across clusters, which could corrupt Job semantics in distributed workloads. Both are straightforward regressions worth patching immediately if either feature is in use.

Key changes (6)
  • karmada-operator now correctly applies tolerations and affinity settings to karmada-aggregated-apiserver and karmada-search deployments
  • Fixed non-idempotent secret creation that caused operator init reconciliation failures on repeated runs
  • Scheduler no longer misroutes bindings with insufficient replicas to backoffQ — they now correctly land in unschedulableBindings
  • Schedule success events with ClusterAffinities now include proper cluster information
  • Job completions are now distributed correctly across clusters instead of being assigned to wrong replicas
  • Base Alpine image bumped from 3.23.3 to 3.23.4 to address security concerns
Source

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.16.5 is a focused patch release fixing scheduler queue misrouting, Job replica assignment errors, and operator reconciliation failures, plus an Alpine base image bump.

  • securityAlpine 3.23.4 base image — rebuild and redeploy your Karmada components

    The Alpine bump from 3.23.3 to 3.23.4 addresses upstream security concerns. If you're running custom-built Karmada images or have image scanning in your pipeline, update your base images accordingly. The official images in this release already include the updated base.

  • breakingScheduler queue misrouting causes stalled workloads — patch immediately

    The backoffQ vs unschedulableBindings misrouting bug means workloads with insufficient cluster replicas may have been stuck in the wrong queue, causing unexpected scheduling delays or failures. If you've seen bindings that appear perpetually pending despite enough cluster capacity becoming available, this fix directly addresses that. Upgrade to v1.16.5 and check for any bindings that are stuck — they should reschedule automatically after the upgrade.

  • breakingJob completions were assigned to wrong clusters — review existing Job distributions

    The Job completion replica assignment bug could have led to incorrect work distribution across member clusters. Jobs that ran on this version may have had skewed completion counts per cluster. After upgrading, inspect any multi-cluster Jobs that were scheduled on v1.16.4 to verify their completion semantics were not affected in production.

Key changes (5)
  • karmada-operator: Secret creation made idempotent, fixing init reconciliation failures on retry
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • karmada-scheduler: Schedule success events now include cluster info when using ClusterAffinities
  • Job completions now assigned correctly per cluster instead of being misrouted across replicas
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 for security fixes
Source

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.15.8 is a targeted bug-fix patch addressing scheduler queue misrouting, missing cluster info in events, and an operator reconciliation failure. Alpine base image bumped for security.

  • securityRebuild and redeploy to pick up alpine:3.23.4 patches

    The alpine base image bump from 3.23.3 to 3.23.4 addresses unspecified security concerns. If you're running custom Karmada images built from the upstream base, rebuild against the new base. If you're using official images, pulling v1.15.8 is sufficient.

  • breakingScheduler queue misrouting can cause workloads to be stuck — patch immediately

    The backoffQ bug is particularly dangerous in production: when a binding hits insufficient replicas, it gets retried with exponential backoff instead of being placed in unschedulableBindings where it belongs. This means your workloads silently wait longer than expected before rescheduling. If you're running ClusterAffinities with replica constraints, upgrade to v1.15.8 — don't wait on this one.

  • enhancementOperator idempotency fix prevents init reconciliation crashes on restarts

    The non-idempotent secret creation in karmada-operator meant that if the operator restarted mid-initialization, reconciliation would fail. This is now fixed with an idempotent approach. If you've been seeing operator init failures after pod restarts or rolling updates, this patch resolves the root cause.

Key changes (4)
  • karmada-operator: Fixed non-idempotent secret creation that caused init reconciliation failures on retry
  • karmada-scheduler: Schedule success events now include cluster information when using ClusterAffinities
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 to address security concerns
Source

Knative

Orchestration & ManagementApr 28, 2026

Knative v1.22.0 completes the EndpointSlices migration, consolidates TLS configuration across all components, and adds new autoscaling observability metrics.

  • enhancementScrape the new queue/active request metrics for autoscaling tuning

    kn.revision.request.queued and kn.revision.request.active are now available from queue-proxy. If you're tuning concurrency targets or debugging cold-start behavior, add these to your Prometheus scrape config and dashboards. They give you direct visibility into the queue depth per revision, which was previously only inferable from aggregate metrics.

  • enhancementVerify RBAC if running with minimal cluster permissions

    The ClusterRole now includes endpointslices/restricted permissions to support the EndpointSlices migration. If your cluster uses OPA, Kyverno, or any policy engine that audits ClusterRole changes, review and approve the updated role during upgrade. Missing this permission would break autoscaler stat forwarding.

  • enhancementGraceful WebSocket shutdown reduces in-flight request drops during scale-down

    The queue-proxy now shuts down WebSocket connections gracefully. If your services handle WebSocket traffic, this directly reduces dropped connections during rolling updates or scale-to-zero events. No configuration change needed — the improvement is automatic on upgrade.

Key changes (5)
  • Autoscaler stat forwarder and e2e tests fully migrated to EndpointSlices — Endpoints API usage continues to shrink
  • TLS configuration unified across reconciler, activator, and queue-proxy using knative.dev/pkg/network/tls
  • Two new metrics added: kn.revision.request.queued and kn.revision.request.active for better autoscaling visibility
  • Autoscaler now uses the /scale subresource for replica count updates instead of patching deployments directly
  • Deployment reconciliation optimized — updates only trigger on actual label, annotation, or spec changes
Source

Dapr

Orchestration & ManagementApr 28, 2026

Single targeted bug fix: messages arriving during graceful shutdown or pub/sub component hot-reload no longer get silently routed to dead-letter queues.

  • breakingAudit your dead-letter queues for silently lost messages

    If you run pub/sub with dead-letter queues configured, messages diverted there during past rolling deployments or restarts were never retried — they just sat in the DLQ. Before upgrading, inspect those queues for messages that should have been processed. After upgrading to 1.17.6, plan to replay or reprocess any legitimate messages found there. Going forward, monitor DLQ depth during deployments as a health signal; a spike should now indicate actual processing failures, not shutdown timing artifacts.

  • enhancementUpgrade if you do rolling deployments or frequent restarts

    Any team doing Kubernetes rolling updates or frequent pod restarts with pub/sub workloads should treat this as a high-priority patch. The previous behavior was silent — no errors surfaced to your app, messages just disappeared into DLQs. The fix is low-risk (a targeted behavior change in the shutdown path), so upgrading from any 1.17.x release is straightforward.

Key changes (4)
  • Messages arriving while a subscription is closing are now held (blocked) instead of immediately NACKed, letting the broker redeliver them to healthy consumers
  • Fix applies to all subscription types: declarative, programmatic (HTTP and gRPC), and streaming
  • Affects any scenario triggering graceful shutdown — rolling deployments, restarts, and pub/sub component hot-reloads
  • In-flight messages already being processed continue to complete normally before the subscription fully closes
Source

wasmCloud

Orchestration & ManagementApr 24, 2026

Patch release upgrading to Wasmtime 44 and fixing a pooling allocator crash, plus new glibc builds for GPU workloads on Linux.

  • securityUpgrade if you hit pooling allocator crashes — the fix prevents silent failures

    The pooling allocator was being enabled without checking whether the host hardware actually supports it, which could cause runtime crashes or unpredictable memory behavior. If you've seen wash-runtime instability on certain host types, this fix directly addresses that. Upgrade and monitor memory allocation behavior post-deploy.

  • breakingTest Wasmtime 44 upgrade in staging before rolling to production

    Wasmtime 44 is a major version bump for the underlying runtime. While wasmCloud wraps it, Wasmtime releases frequently carry behavior changes in memory handling, WASI interfaces, or component model semantics. Validate your component workloads in a non-production environment before upgrading clusters.

  • enhancementGPU workloads on Linux now have proper glibc builds — start testing if relevant

    If you're running or planning wasmCloud workloads that touch GPU features on Linux, the new glibc builds resolve compatibility issues with standard Linux distributions that expect dynamically linked runtimes. Pull the new artifacts and validate against your target GPU host environment.

Key changes (4)
  • Wasmtime runtime upgraded to version 44
  • Pooling allocator is now probed for hardware support before being enabled, preventing crashes on unsupported systems
  • New glibc-linked builds added for Linux systems requiring GPU feature support
  • Minor patch with no API or configuration breaking changes
Source

KubeVirt

Orchestration & ManagementApr 24, 2026

KubeVirt v1.7.3 is a focused patch release fixing 11 bugs across live migration, ARM64/s390x guest support, VMExport, and virt-handler stability.

  • breakingBackend storage volume name has changed — check existing VMs

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' instead of a name derived from the VM name. If you have monitoring, automation, or tooling that references the old volume name pattern, update those references before upgrading. Verify existing VMs with backend storage in your environment to understand impact before rolling out v1.7.3.

  • enhancementUpgrade if you run ARM64 or s390x guests, or use decentralized live migration

    Three targeted fixes land for non-x86 architectures: ARM64 SMBIOS visibility and s390x PCIe controller errors are both resolved. Separately, decentralized live migration now correctly reports success and supports Windows VMs requiring Hyper-V enlightenments. If any of these scenarios apply to your cluster, this patch is worth prioritizing over staying on v1.7.2.

  • enhancementvirt-handler socket recovery is now automatic — no more manual pod restarts

    Two separate fixes address domain-notify server crashes and socket deletion. Previously, a deleted or crashed notify socket would leave virt-handler in a broken state requiring manual intervention. After upgrading, this recovers automatically. If you've been seeing unexplained VM communication failures on nodes, this is likely the culprit.

Key changes (5)
  • virt-handler now detects and auto-restarts the domain-notify server when the socket is deleted or exits unexpectedly — previously this caused silent failures
  • Fixed live migration reporting and enlightenment support after decentralized live migration sequences
  • ARM64 guests can now see SMBIOS system information; s390x VMs no longer fail due to unsupported PCIe root-port controllers introduced in v3 PCI topology
  • Backend storage volume names now use the fixed label 'persistent-state-for-this-vm' instead of embedding the VM name, which was causing truncation issues
  • VMExport failures with long PVC names fixed; memory dump PVCs now labeled correctly to support CDI WebhookPvcRendering
Source

KubeVirt

Orchestration & ManagementApr 24, 2026

KubeVirt v1.6.5 is a patch release with 61 fixes targeting decentralized live migration reliability, virt-handler stability, and monitoring accuracy.

  • breakingBackend storage volume rename may affect existing tooling

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' rather than a name derived from the VM name. If you have scripts, dashboards, or alerts that reference the old volume naming pattern, update them before upgrading. Check if any PVC-based tooling depends on that name convention.

  • enhancementUpgrade if you rely on decentralized live migration

    Three separate bugs in decentralized live migration are fixed here: cross-volumeMode failures, broken migration for enlightened (Hyper-V) VMs, and incorrect 'succeeded' status reporting after compute migration. If your cluster runs Windows VMs or mixes volume modes, this patch directly unblocks those scenarios. Prioritize this upgrade over staying on v1.6.4.

  • enhancementMonitoring alert baselines are now more accurate

    The low-count alert for KubeVirt components now fires based on the configured replica count in the deployment, not a hardcoded value. Non-schedulable nodes are also excluded from kubevirt_allocatable_nodes. Review your existing alert thresholds after upgrading — alerts may behave differently if your environment has non-schedulable nodes or custom replica counts.

Key changes (5)
  • virt-handler now auto-recovers when domain-notify.sock is deleted, preventing silent VM communication failures
  • Decentralized live migration gets multiple fixes: cross-volumeMode migrations complete successfully, enlightened VMs can migrate again, and migration status now correctly reports 'succeeded' after compute migration
  • Backend storage volumes now use a stable name ('persistent-state-for-this-vm') instead of embedding the VM name, which affects volume naming for existing VMs
  • Monitoring improvements: kubevirt_allocatable_nodes excludes non-schedulable nodes, and low-count alerts now use the deployment's configured replica count as baseline
  • Infinite VMI status update loop between virt-controller and virt-handler fixed when primary NIC was listed after secondary NICs in the spec
Source

wasmCloud

Orchestration & ManagementApr 21, 2026

v2.0.4 is a minor maintenance release with TLS improvements for wash dev/host, a Helm chart fix for gateway routing, and governance updates.

  • breakingCheck your Helm chart values if using local gateway routing

    The gateway is now disabled in values.local.yaml, and the hello-world example routes through a Kubernetes Service instead. If you forked or customized local Helm values with gateway-based routing, your setup may stop working after this update. Review your local values files against the updated defaults before upgrading.

  • enhancementEnable TLS on wash dev/host if you're running local or production clusters

    TLS support now works across both wash dev and wash host. If you've been skipping TLS for local dev because it was unsupported, that excuse is gone. Test your TLS config in dev to catch certificate or connection issues before they surface in production.

Key changes (5)
  • TLS support extended to both wash dev and wash host commands
  • Helm chart fix: gateway disabled in values.local.yaml, hello-world now routes via Service instead
  • Governance docs updated for wasmCloud v2, including new wash maintainer (Pavel Agafonov)
  • Shared WIT dependency infrastructure added for testing
  • WASI Preview 2 documentation link corrected
Source

KubeVirt

Orchestration & ManagementApr 20, 2026

KubeVirt v1.8.2 is a patch release with 12 bug fixes covering hotplug volumes, live migration, TLS config, qcow2 disk handling, and multi-arch VM stability.

  • breakingBackend storage volume naming changed — check for impacts

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' instead of a name derived from the VM name. If you have monitoring alerts, scripts, or tooling that match on the old volume name pattern, they will silently break. Audit any automation that references backend storage volume names before upgrading.

  • enhancementUpgrade s390x and ARM64 clusters — arch-specific VM failures resolved

    Two separate fixes land here: ARM64 guests now correctly expose SMBIOS system info, and s390x VMs failing to create due to unsupported PCIe root-port controllers from the v3 PCI topology change are fixed. If you're running multi-arch clusters and held back on v1.8.x due to these issues, v1.8.2 is the version to move to.

  • enhancementTLS config from KubeVirt CR now respected by sync-controller and virt-exportserver

    Previously, the sync-controller healthz server and virt-exportserver ignored the TLSConfiguration set in the KubeVirt CR, potentially using weaker defaults. After upgrading, verify your KubeVirt CR TLS settings are correct — they'll actually take effect now. This matters most for clusters with strict cipher or TLS version requirements.

Key changes (6)
  • virt-handler now auto-restarts the notify server when domain-notify.sock is deleted, preventing silent VM communication failures
  • Hotplug volumes stuck in 'Detaching' phase are now correctly resolved
  • Fixed migration status not reporting 'succeeded' after decentralized live migration with compute migration
  • qcow2 overlay disks now correctly resolve source, preventing wrong disk expansion and incorrect cache/IO mode
  • s390x VM creation failures from unsupported PCIe root-port controllers (introduced in v3 PCI topology) are fixed
  • Backend storage volumes now use a stable name 'persistent-state-for-this-vm' instead of embedding the VM name
Source

Crossplane

Orchestration & ManagementApr 20, 2026

Crossplane v2.2.1 patches two user-reported bugs — ImageConfig prefix rewrite dependency upgrades and ResourceSelector handling — plus a broad sweep of security dependency updates.

  • securityUpgrade to v2.2.1 immediately for dependency security fixes

    This release pulls in security patches for at least 8 upstream libraries including cosign, go-git, go-jose, and cloudflare/circl. These are not cosmetic bumps — go-git had two separate security-tagged updates in this release alone (v5.17.1 and v5.18.0). If you're running v2.2.0, plan the upgrade now. The patch is a drop-in replacement with no breaking changes.

  • breakingVerify your ImageConfig prefix rewrite setups after upgrading

    If you use ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry mirror), your packages may have been silently stuck on stale dependency versions before this fix. After upgrading to v2.2.1, expect Crossplane to reconcile and potentially upgrade dependent packages that were previously frozen. Review installed package versions post-upgrade to confirm the expected state.

  • enhancementComposition functions can now use broad ResourceSelectors safely

    Composition functions that need to select all existing resources of a given kind no longer need workarounds. A ResourceSelector with only apiVersion and kind set is now valid. If you patched around this limitation with explicit matchLabels or matchName wildcards, you can simplify those selectors in your function logic.

Key changes (5)
  • Fixed: packages installed via ImageConfig prefix rewrites were silently skipping dependency upgrades, leaving stale versions in place
  • Fixed: composition functions returning a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security tag
  • Security updates across: cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTel OTLP HTTP trace exporter
  • CI workflow hardening: mitigated potential script injection in the promote workflow and added required job-level permissions
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v2.1.5 patches three behavioral bugs (ImageConfig upgrades, ResourceSelector matching, circuit breaker resets) and pulls in a broad sweep of security dependency updates including Go 1.25.9.

  • securityUpgrade to v2.1.5 promptly — this release addresses multiple CVEs in core dependencies

    The dependency list here is long: grpc, go-git (patched twice), go-jose, cloudflare/circl, moby/spdystream, docker/cli, and the OTel OTLP trace exporter all received security updates, plus Go itself was bumped to 1.25.9. Any of these could carry CVEs relevant to your threat model. This isn't a routine chore bump — prioritize this upgrade over staying on v2.1.4.

  • breakingCheck for silently stale packages if you use ImageConfig prefix rewrites

    If your environment uses ImageConfig to rewrite registry prefixes, dependent packages may have been silently pinned at outdated versions since the bug was introduced. After upgrading to v2.1.5, verify that your package dependency graph resolves to the expected versions — stale packages won't auto-upgrade retroactively, so you may need to trigger a reinstall or version bump manually.

  • enhancementResourceSelector 'select all of a kind' unlocks cleaner composition function patterns

    If you've been working around the previous rejection of bare apiVersion/kind selectors — adding dummy matchLabels or splitting logic — you can now clean that up. A selector with no match fields is treated as 'give me all resources of this kind,' which is the intuitive behavior. Review your composition functions for any workarounds and simplify them after upgrading.

Key changes (5)
  • ImageConfig prefix rewrite users were silently stuck on stale dependency versions — now dependency upgrades work correctly through rewrites
  • Composition functions can now use a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) to select all resources of a given kind
  • Circuit breaker state is now cleared on XR deletion, preventing newly recreated XRs from being blocked by leftover breaker state
  • Security dependency bumps across grpc, go-git, go-jose, cloudflare/circl, moby/spdystream, docker/cli, sigstore, and OTel OTLP HTTP exporter
  • Go runtime bumped to 1.25.9 for underlying security fixes
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v2.0.8 fixes two user-reported bugs (ImageConfig prefix rewrite upgrades, ResourceSelector with no match field) and patches multiple security vulnerabilities in upstream dependencies.

  • securityUpgrade to v2.0.8 immediately for dependency security patches

    Multiple upstream dependencies received security-tagged fixes in this release — go-git (two separate bumps to v5.17.1 then v5.18.0), go-jose, cloudflare/circl, and others. These aren't just routine bumps; they carry CVE-related fixes. If you're running any v2.0.x release prior to v2.0.8, upgrade now. There are no API changes, so the upgrade path is straightforward.

  • breakingAudit packages installed via ImageConfig prefix rewrites for stale dependencies

    If your environment uses ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry), dependent packages may have been silently stuck on outdated versions since you adopted that configuration. After upgrading to v2.0.8, force a reconciliation and verify that all package dependencies are on their expected versions — don't assume the upgrade alone will catch everything already in a stuck state.

  • enhancementUse bare ResourceSelector (apiVersion+kind only) for 'select all' semantics in composition functions

    Previously, omitting matchName and matchLabels from a ResourceSelector caused Crossplane to reject the request outright. That's now fixed — a bare selector correctly means 'all resources of this kind'. If you worked around this limitation by enumerating resources explicitly or adding dummy match conditions, clean up those workarounds after upgrading.

Key changes (5)
  • ImageConfig prefix rewrite: dependency upgrades now propagate correctly — packages were silently stuck on stale versions before this fix
  • ResourceSelector with only apiVersion+kind (no matchName/matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security fixes
  • Security patches across go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTLP HTTP trace exporter
  • CI workflow hardened against potential script injection in the promote pipeline
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v1.20.6 is a security-focused patch release fixing multiple dependency CVEs and hardening CI workflows against script injection attacks.

  • securityUpgrade to v1.20.6 immediately — multiple dependency CVEs patched

    Five separate security dependency updates landed in this release, covering cryptography (circl), git operations (go-git), HTTP/2 streaming (spdystream), and telemetry export (otelhttp). Any Crossplane v1.20.x deployment is exposed until upgraded. This isn't a theoretical risk — go-git had two separate security fixes within this single patch release, which signals active exploitation concern. Run your upgrade now.

  • securityCI/CD supply chain hardening — audit your own pipelines

    The Crossplane team mitigated script injection in their release promotion workflow and tightened GitHub Actions job permissions. If you're running Crossplane forks, mirrors, or custom automation that builds on top of Crossplane's CI patterns, audit your own workflows for similar issues: untrusted input in run steps and overly broad GITHUB_TOKEN permissions are the two patterns to check.

  • enhancementTrivy scanning dropped from CI — don't let it drop from yours

    Crossplane dropped Trivy from their CI pipeline in this release. This is an internal CI decision, but if your team was relying on Crossplane's upstream scan results as a proxy for your own security posture, that signal is now gone. Make sure you have independent vulnerability scanning on your Crossplane images and provider images in your own pipelines.

Key changes (5)
  • go-git/go-git updated twice (v5.17.1 → v5.18.0) to address security vulnerabilities in git operations
  • cloudflare/circl updated to v1.6.3 for cryptographic library security fixes
  • moby/spdystream updated to v0.5.1 to patch a security issue in HTTP/2 stream handling
  • OpenTelemetry OTLP trace exporter updated to v1.43.0 with security fixes
  • CI workflow hardened against script injection and permission escalation vulnerabilities
Source

Dapr

Orchestration & ManagementApr 16, 2026

Critical security patch fixing ACL bypass via path traversal in service invocation — any deployment using access control policies must upgrade immediately.

  • securityUpgrade immediately if you use service invocation ACLs

    This is a real ACL bypass, not a theoretical one. If your Dapr deployment uses access control policies for service invocation and the Dapr API is reachable by untrusted callers — even internal ones — you are vulnerable. The gRPC vector is especially dangerous since it passes method strings raw with no sanitization. Upgrade to v1.15.14 now. There is no workaround short of disabling service invocation or isolating the Dapr API entirely.

  • securityAudit who can reach your Dapr API endpoints

    This vulnerability required API access, so the blast radius depends entirely on your network posture. After upgrading, take the opportunity to review which workloads and network paths can reach the Dapr HTTP and gRPC APIs. Sidecar-only access (localhost) is the safest posture — if you're exposing Dapr APIs more broadly, tighten that regardless of this fix.

  • breakingVerify your service invocation method paths still route correctly after normalization

    The fix applies path.Clean normalization to all method paths and rejects any containing #, ?, null bytes, or control characters. If any of your services legitimately use encoded slashes (%2F) as path separators in method names — particularly over gRPC where these were previously passed through raw — those calls will now behave differently. Test your service-to-service invocation patterns before rolling this to production.

Key changes (5)
  • Path traversal sequences (e.g., admin%2F..%2Fpublic) could bypass service invocation ACL policies entirely
  • Encoded fragment (%23) and query (%3F) characters caused ACL to evaluate a different path than what reached the target app
  • A bare % character could crash ACL normalization, potentially bypassing the policy altogether
  • Fix normalizes method paths at the invocation edge using path.Clean, with rejection of #, ?, null bytes, and control characters
  • Go updated to v1.25.9 to cover CVEs in the 1.24 line; purell dependency removed from ACL path
Source

Dapr

Orchestration & ManagementApr 16, 2026

v1.17.5 is a security-only patch fixing a path traversal vulnerability that allowed attackers to bypass service invocation ACL policies via encoded URL characters.

  • securityUpgrade immediately if you use service invocation ACLs

    Any deployment with access control policies for service invocation is vulnerable. An attacker with Dapr API access (HTTP or gRPC) could reach denied endpoints by encoding the path. gRPC is especially risky since method strings were passed raw. Upgrade to v1.17.5 now — there is no workaround short of removing Dapr API exposure entirely. After upgrading, audit your ACL policies to confirm expected paths are actually being enforced.

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix adds strict validation: method paths containing #, ?, null bytes, or control characters are now rejected at the invocation edge. If any of your services use these characters in method paths (uncommon but possible with gRPC), those calls will fail after upgrade. Test your service invocation paths in a staging environment before rolling this to production.

Key changes (5)
  • Path traversal sequences (e.g., %2F, ../) in service invocation method paths could bypass ACL checks — now fixed
  • Encoded fragment (%23) and query (%3F) characters caused ACL to evaluate a different path than what the target app received
  • A bare % character could crash ACL normalization, potentially disabling the policy entirely
  • gRPC was the more dangerous vector since it passes method strings raw with no client-side sanitization
  • Fix: normalization now happens at the invocation edge using path.Clean; purell dependency removed from ACL path
Source

Dapr

Orchestration & ManagementApr 16, 2026

Critical security fix: path traversal and encoded characters in service invocation method paths could bypass ACL policies entirely. Upgrade immediately if you use access control policies.

  • securityUpgrade immediately if you use Dapr ACL policies

    Any deployment with service invocation access control policies is vulnerable. An attacker with access to the Dapr HTTP or gRPC API can craft method paths that the ACL permits but route to denied endpoints. The gRPC vector is especially dangerous since no client-side sanitization occurs. Upgrade to v1.16.14 now — there is no viable workaround short of removing Dapr API access entirely. After upgrading, audit your ACL policy rules to confirm they match the normalized path forms (resolved ../ and no encoded separators).

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix actively rejects method paths containing fragment (#), query (?), null bytes, or control characters rather than silently normalizing them. If any of your services invoke methods with these characters (unlikely but possible via programmatic gRPC calls), those calls will fail after upgrading. Review your service invocation call sites — especially any that construct method paths dynamically — before rolling this out to production.

Key changes (5)
  • Path traversal sequences (../), encoded slashes (%2F), fragment (%23), query (%3F), and bare % in method paths could all bypass ACL policy checks
  • gRPC was the higher-risk vector — method strings are passed raw with no client-side sanitization, making all special characters exploitable
  • Root cause was a normalization mismatch: ACL evaluated a decoded/cleaned path while the target app received the raw original string
  • Fix applies path.Clean normalization at the invocation edge (before both ACL check and dispatch), and now rejects methods containing #, ?, null bytes, or control characters
  • The purell library has been removed from the ACL path; gRPC treats percent-encoded sequences as opaque literal characters, not path separators
Source

Dapr

Orchestration & ManagementApr 15, 2026

Dapr v1.16.13 fixes a critical scheduler reliability bug affecting multi-replica deployments, patches a silent Pulsar misconfiguration that could cause OOM crashes, and rebuilds with Go 1.25.9 for security fixes.

  • securityUpgrade immediately for Go 1.25.9 security patches

    This build patches vulnerabilities in Go's crypto/x509, crypto/tls, archive/tar, and html/template packages. Any Dapr deployment still on 1.16.12 or earlier is exposed. Upgrade to 1.16.13 now — there's no workaround short of rebuilding from source with Go 1.25.9 yourself.

  • breakingPulsar users: processMode will now actually take effect — verify your config

    If you have processMode set in your Pulsar component YAML, it was silently ignored before this release. After upgrading, that config will be enforced. If you set processMode: sync expecting ordered processing but were actually running async, behavior changes on upgrade. Review your Pulsar component metadata and subscription behavior before rolling this out to production. Also check maxConcurrentHandlers: if it was set to 0, it previously caused a deadlock; now it falls back to 100.

  • breakingMulti-replica scheduler deployments: patch this immediately

    The scheduler bug is severe in practice. A routine pod restart — due to a rolling update, OOM kill, or node eviction — would silently stop all job triggers across your deployment until some unrelated cluster event re-established connections. There's no alerting or visible failure; jobs just stop firing. If you run multiple scheduler replicas (standard HA setup), this fix is critical. Upgrade and verify your scheduled jobs are firing after any scheduler pod restart.

Key changes (5)
  • Go 1.25.9 rebuild: patches security vulnerabilities in crypto/x509, crypto/tls, archive/tar, and html/template
  • Scheduler bug fix: a single pod restart no longer silently kills job triggers across all scheduler connections in multi-node clusters
  • Each scheduler streaming connector now retries independently with 500ms backoff instead of cancelling all connections on any single failure
  • Pulsar processMode now correctly reads from component YAML metadata — previously silently ignored, forcing async mode regardless of config
  • Pulsar async mode now enforces a concurrency limit (default 100); maxConcurrentHandlers=0 no longer deadlocks, and a goroutine data race is fixed
Source

wasmCloud

Orchestration & ManagementApr 14, 2026

v2.0.3 patches a NATS race condition, adds Kubernetes EndpointSlice support, hardens container security with non-root ownership, and expands Helm chart configurability.

  • securityUpgrade now: containers finally run as non-root by default

    Previous releases ran with root ownership, which is a container security red flag. This release sets non-root ownership by default. If you have volume mounts or init containers with root-dependent file permissions, test before rolling to production — you may need to adjust fsGroup or runAsUser settings in your pod specs.

  • breakingHelm chart image tag behavior changed — audit your values files

    The default image tag no longer falls back to a hardcoded value; it now uses the chart's appVersion. If you rely on overriding the tag in your values files, this likely works as-is. But if you were depending on the old default tag behavior for pinning, verify your deployed image versions after upgrading the chart.

  • enhancementEnable EndpointSlice support if running Kubernetes 1.21+

    EndpointSlice is the modern replacement for Endpoints and scales better with large service backends. If your cluster runs Kubernetes 1.21 or later, enable this feature — it reduces load on kube-apiserver and avoids the scaling limits of the classic Endpoints API. Check your Helm values for the new endpointslice configuration option.

Key changes (6)
  • Fixed a race condition in NATS subscriber initialization that could cause intermittent connection failures
  • Added Kubernetes EndpointSlice support for services — required for clusters with large service backends
  • Container ownership set to non-root, improving security posture out of the box
  • Helm chart now supports TLS configuration, custom annotations, and labels
  • Helm chart default image tag now derives from chart.yaml appVersion instead of a hardcoded value
  • WASIp3 support added behind a feature flag — experimental, not for production use yet
Source

Dapr

Orchestration & ManagementApr 10, 2026

Dapr 1.17.4 patches seven bugs spanning workflow correctness, Pulsar OOM risk, actor freeze under placement pressure, and a Go stdlib security update. Deploy promptly if you use any of these features.

  • securityUpgrade immediately for Go stdlib CVE fixes

    Go 1.25.9 patches vulnerabilities in archive/tar, crypto/tls, crypto/x509, html/template, and the compiler. All Dapr binaries and Docker images are rebuilt with the patched toolchain. Update your Dapr runtime to 1.17.4 now — no config changes needed, just the version bump.

  • breakingPulsar processMode behavior has changed — validate your component config

    If you set processMode in Pulsar component YAML before this fix, it was silently ignored and you were running in default mode. After upgrading, the setting takes effect. If you had processMode: sync expecting ordered processing but were unknowingly running async, behavior will change. Also, async mode now caps concurrency at maxConcurrentHandlers (default 100). Review your Pulsar component metadata and test throughput behavior before rolling to production.

  • enhancementEliminate actor/workflow freeze risk from placement slowness

    The placement dissemination freeze bug could cause cascading health check failures during rolling updates — Kubernetes would declare pods unhealthy and restart them, worsening the cycle. With 1.17.4, a slow peer triggers reconnect rather than a fatal teardown. If you've seen unexplained actor hangs or zombie daprd processes during rollouts, this is likely the cause. No configuration change needed; upgrading is sufficient.

Key changes (5)
  • Pulsar pub/sub now correctly reads processMode from component YAML and enforces concurrency limits in async mode — previously this could OOM a pod under high message rates
  • Cross-app workflows no longer hang in PENDING when the target app is offline at startup; per-dispatch timeouts (2s) and pre-save logic prevent indefinite blocking
  • Workflow events are no longer silently lost or duplicated during ContinueAsNew under high event volume — state snapshot/restore and inbox replacement fix two root causes
  • A single slow sidecar can no longer freeze all actor and workflow operations cluster-wide; placement dissemination timeout now triggers reconnect instead of killing the placement subsystem
  • Scheduler pod restarts in multi-node clusters no longer stall all job triggers until an unrelated cluster event; each connector now retries independently
Source

wasmCloud

Orchestration & ManagementApr 2, 2026

v2.0.2 is a focused patch: wasmtime runtime bumped to v43, a new Kubernetes Host pod reconciler added, and install scripts smoothed out.

  • enhancementUpdate to pick up wasmtime 43 runtime improvements

    Wasmtime 43 includes upstream bug fixes and performance work. If you're running v2.0.1 in production, this is a low-risk upgrade worth taking. No API changes expected on the wasmCloud side — just redeploy your hosts.

  • enhancementKubernetes operators: test the new Host pod reconciler

    The Host pod reconciler adds smarter lifecycle handling for wasmCloud hosts running as Kubernetes pods. If you're using the wasmCloud operator, deploy this in a staging cluster first and validate that host pod restarts and scheduling behave as expected before rolling to production.

  • enhancementWindows users can now install wash via winget

    wash is now in the winget package registry. Windows-based teams can standardize installs with 'winget install wash' instead of manual binary downloads — useful for onboarding and CI pipelines on Windows runners.

Key changes (5)
  • Wasmtime upgraded to v43, pulling in the latest runtime performance and correctness fixes
  • New Host pod reconciler for Kubernetes improves lifecycle management of wasmCloud host pods
  • One-step installation scripts fixed for a smoother out-of-the-box experience
  • wash CLI now available via winget on Windows
  • Helm values.local.yaml updated to reflect current defaults
Source
Browse by month