RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Apr 2026Clear ×

Open Policy Agent (OPA)

SecurityApr 30, 2026

v1.16.0 brings new URI builtins, Data API metadata support, OTLP metrics export, and critical fixes for log dropping and log buffer eviction bugs introduced in v1.15.x.

  • securityunits.parse_bytes exponent cap prevents timeout bypass

    Extremely large exponent values in units.parse_bytes could be used to cause evaluation timeouts, potentially bypassing policy enforcement. This is fixed in v1.16.0 by capping the exponent size. If your policies accept user-controlled input that gets passed to units.parse_bytes, this fix is directly relevant — upgrade and review any policies that parse byte strings from untrusted sources.

  • breakingUpgrade from v1.15.x immediately — logs are silently dropped

    A BufferedLogger bug in v1.15.x caused bundle download logs, print() debug output, and plugin logs to be dropped after the first flush. This is silent data loss in your observability stack. If you're running v1.15.x in any environment where decision logs or debug output matter, upgrade to v1.16.0 now. Check your log pipeline for gaps if you've been running v1.15.x in production.

  • enhancementUse new uri.parse / uri.is_valid builtins to replace fragile regex-based URL validation

    Many OPA policies today use regex or string manipulation to validate or decompose URLs — a brittle approach. The new uri.parse builtin returns structured RFC 3986 components (scheme, host, path, query, etc.), and uri.is_valid does a clean true/false structural check. If you have policies handling redirect URIs, webhook URLs, or any URL-bearing input, replace your custom parsing logic with these builtins. The structured output makes it easier to write precise, readable rules.

Key changes (5)
  • New uri.parse and uri.is_valid builtins for RFC 3986-compliant URI handling in policy
  • Data API now supports request/response metadata for wrapping projects — custom fields logged under decision log Custom['request_metadata']
  • Prometheus metrics can now be exported via OTLP, unifying observability pipelines
  • Critical fix: v1.15.x dropped logs for bundle downloads, print() calls, and plugin-originated logs — upgrade immediately if on v1.15.x
  • units.parse_bytes exponent size now capped to prevent potential timeout bypass (security hardening)
Source

Kyverno

SecurityApr 29, 2026

Kyverno 1.18 hardens HTTP context security with blocklist enforcement and scoped tokens, fixes multiple image verification bugs including a silent bypass, and expands CLI policy testing coverage.

  • securityAudit HTTP context policies before upgrading — blocklist is now enforced

    Any policy using HTTP context loading will now be subject to a configurable blocklist. Calls that previously succeeded might be blocked after upgrade. Before rolling out 1.18, inventory all policies with HTTP context entries, verify their target URLs are not on the default blocklist, and configure FLAG_HTTP_BLOCKLIST overrides where needed. Also check that scoped token authorization doesn't break policies relying on broader token access. Test in a non-production cluster first.

  • securityImage verification silent bypass is patched — verify your policies are actually enforcing

    A bug in processResourceWithPatches caused it to return nil on patch failure, which silently skipped image verification. If you've been running image verification policies and assumed they were enforcing, run a retroactive compliance scan after upgrading to confirm enforcement was working as expected. Also check the CVE fixes: CVE-2026-32280 (intermediate cert limiting) and CVE-2026-32283 (Go toolchain upgrade) are included in this release and warrant upgrading promptly.

  • enhancementUse successEventActions to reduce event spam in large clusters

    High-traffic clusters with broad Kyverno policies generate enormous volumes of success events, which can overwhelm etcd and make event streams useless. The new successEventActions ConfigMap parameter lets you filter exactly which success events get emitted. Add this to your Kyverno ConfigMap after upgrading and tune it based on which policy actions actually need visibility. Pairs well with the existing omitEvents setting — watch out for the new warning if you configure conflicting values.

Key changes (5)
  • HTTP context calls now enforce a configurable blocklist and use scoped tokens — policies making external HTTP calls need review against new security constraints
  • imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets, removing a long-standing limitation for multi-tenant image verification setups
  • Silent image verification bypass fixed: processResourceWithPatches was returning nil on patch failure, allowing images to slip through unverified
  • successEventActions ConfigMap parameter lets you filter which success events Kyverno emits, useful for high-volume clusters drowning in event noise
  • CLI now supports cleanup policies, HTTP/Envoy authz policies, and mutateExisting in kyverno apply and kyverno test — CI pipelines can finally test these policy types offline
Source

SPIRE

SecurityApr 27, 2026

SPIRE v1.14.6 patches two critical security vulnerabilities in node attestation: an EC2 instance impersonation flaw and a race condition in join token validation.

  • securityUpgrade immediately if using aws_iid node attestation

    The aws_iid bug is severe: any EC2 instance under attacker control could forge the identity of any other EC2 instance during attestation, bypassing all downstream SPIFFE ID assignment and workload authorization. If you use aws_iid attestation in any environment, treat this as a critical breach risk and upgrade to v1.14.6 now. After upgrading, audit your node attestation logs for anomalous registrations — specifically instances claiming identities inconsistent with their actual AWS metadata.

  • securityJoin token race condition allows double-registration — patch now

    The TOCTOU flaw means two concurrent requests with the same join token could both complete attestation successfully, resulting in two agents registered under one token. If join tokens are distributed in automated pipelines or ephemeral environments, an attacker who intercepts a token could race a legitimate agent to claim it. Upgrade to v1.14.6, then review your join token issuance and revocation policies. Consider switching to shorter-lived tokens or alternative attestation methods like x509pop for sensitive workloads.

Key changes (3)
  • Fixed aws_iid attestor: PKCS7 signature was verified against embedded content, but identity was parsed from an attacker-controlled field — allowing any EC2 instance to impersonate any other.
  • Fixed join token TOCTOU race: concurrent attestations with the same token could both succeed due to silent no-op deletes. Now uses row-locked read-modify-write transactions.
  • Both vulnerabilities reported by Tianshuo Han.
Source

SPIRE

SecurityApr 27, 2026

v1.13.6 patches two serious security vulnerabilities in SPIRE: an EC2 instance impersonation flaw in the AWS IID attestor and a race condition in join token handling. Upgrade immediately.

  • securityUpgrade now if you use AWS IID node attestation

    The AWS IID attestor vulnerability is severe: any attacker controlling an EC2 instance could forge the identity of any other EC2 instance in your environment during node attestation. All downstream RBAC, SVID issuance, and workload identity decisions would operate on the forged identity. If you run SPIRE with the aws_iid server plugin, treat this as a critical incident — patch to v1.13.6 before doing anything else. Review your SPIRE server logs for unexpected node attestation events from EC2 instances, especially cross-account or cross-region patterns.

  • securityAudit join token usage if you allow concurrent agent bootstrapping

    The TOCTOU bug in join token handling means two agents racing to attest with the same token could both succeed — violating the one-time-use guarantee. In practice this could allow unauthorized agents to join your trust domain. After upgrading, rotate any join tokens that may have been used during periods of concurrent agent bootstrapping. If you use join tokens in automation (e.g., init containers, CI pipelines), review whether parallel execution could have triggered this race.

Key changes (3)
  • Fixed AWS IID attestor bug where PKCS7 signature was verified against embedded content but identity was parsed from an attacker-controlled field — enabling full EC2 impersonation during node attestation
  • Fixed TOCTOU race in join token attestation: concurrent requests with the same token could both succeed; now enforced via read-modify-write transaction with row locking
  • Both vulnerabilities reported by Tianshuo Han; no new features or other changes in this release
Source

OpenFGA

SecurityApr 27, 2026

v1.15.0 brings latency improvements for complex authorization models via edge pruning, fixes a cache bug in the experimental weighted graph checker, and patches Go stdlib CVEs by upgrading to Go 1.26.2.

  • securityUpdate immediately to patch Go stdlib vulnerabilities

    This release ships Go 1.26.2, which addresses vulnerabilities in the Go standard library. If you run OpenFGA as a managed binary or container, pull the new image now. If you build from source, ensure your toolchain matches. Don't wait on this — stdlib vulns can affect TLS, HTTP parsing, and crypto paths that OpenFGA relies on.

  • enhancementRe-benchmark list objects performance on complex models

    Edge pruning in the list objects pipeline cuts unnecessary graph traversal. If your authorization model has deep or wide relationship graphs, you should see reduced p99 latency on ListObjects calls. Run your existing load tests against v1.15.0 and compare — this is a free win that requires no config changes.

  • enhancementRe-evaluate weighted_graph_check cache behavior if you hit cold-start issues

    The experimental weighted_graph_check feature was silently skipping its cache on cold start or when the cache controller was disabled, which could explain unexpected latency spikes early in pod lifecycle. The fix aligns behavior with the documented contract: zero invalidation time means use the cache. If you're using this experimental feature, test it again — behavior will differ from what you may have measured before.

Key changes (3)
  • Edge pruning added to list objects pipeline — measurable latency reduction for large, complex authorization models
  • Fixed weighted_graph_check cache being incorrectly bypassed when cache controller returns zero invalidation time (cold start or disabled state)
  • Go toolchain bumped to 1.26.2 to address Go standard library security vulnerabilities
Source

Kyverno

SecurityApr 23, 2026

v1.16.4 is a security-focused patch release addressing 15+ CVEs across Kyverno's dependency chain, plus a critical behavioral change that disables HTTP in namespaced policies by default.

  • securityUpgrade immediately — 15+ CVEs patched, including supply chain components

    This release patches CVEs across sigstore/rekor, go-tuf, docker/cli, Go stdlib, and Kyverno's own code. Several of these touch the image verification and policy fetch paths. If you're running any image signing workflows with Kyverno, the rekor and go-tuf bumps are directly relevant. Plan an upgrade in your next maintenance window — do not wait for the next major cycle.

  • breakingHTTP disabled by default in namespaced policies (CVE-2026-4789) — test before upgrading

    Namespaced policies that fetch external data over plain HTTP will silently stop working after this upgrade. If you use URL context sources or external data fetches in namespaced ClusterPolicy or Policy resources, audit them for HTTP (non-HTTPS) endpoints before upgrading. This is a security hardening change, but it will break existing policies that relied on insecure endpoints. Switch those endpoints to HTTPS or migrate to HTTPS-capable data sources first.

  • breakingRestricted ConfigMap access for namespaced policies — RBAC may need review

    Namespaced policies now have reduced ConfigMap access scope. If your policies rely on reading ConfigMaps outside their namespace for context or configuration, those reads will fail post-upgrade. Review your policy definitions for cross-namespace ConfigMap references and adjust either the policy logic or the access grants accordingly before rolling out this version.

Key changes (5)
  • CVE-2026-4789: HTTP disabled by default in namespaced policies — this is a behavioral change, not just a dep bump
  • Namespaced policies now have restricted ConfigMap access, tightening the blast radius of compromised policy controllers
  • Scoped token used for request authorization, replacing broader token usage in policy evaluation
  • forEach mutation panic fixed — previously could crash the engine on certain mutate rule configurations
  • Dependency CVEs resolved: docker/cli, sigstore/rekor, go-tuf/v2, stdlib, and others updated
Source

Kyverno

SecurityApr 23, 2026

v1.17.2 is a security-heavy patch release addressing multiple CVEs and fixing critical bugs in MutatingPolicy, ValidatingPolicy, webhook reconciliation, and namespaced policy handling.

  • securityUpgrade immediately — 6+ CVEs fixed in this release

    This release patches at least six CVEs across dependencies and Go stdlib, plus CVE-2026-4789 which disables HTTP in namespaced policies by default. If you run namespaced policies that rely on HTTP-based external data sources or webhooks, audit those configurations before upgrading — they will stop working silently. Upgrade path: update your Helm chart or manifests to v1.17.2 and validate policy behavior in a staging environment first.

  • breakingNamespaced policies: HTTP disabled and ConfigMap access restricted

    Two separate hardening changes affect namespaced policies. HTTP is now disabled by default (CVE-2026-4789), and ConfigMap access has been scoped down. If your namespaced policies fetch context from HTTP endpoints or read ConfigMaps outside their namespace, those policies will fail silently or error post-upgrade. Run a dry-run or audit scan against your namespaced policies before deploying to production.

  • enhancementWebhook reconciliation loop fix — reduces controller churn in large clusters

    Inconsistent webhook rule ordering was causing repeated reconciliation loops, which generates excess API server load and noisy controller logs. This is fixed. If you've been seeing constant webhook object churn in your audit logs or elevated kyverno-controller CPU, this release resolves it. No action needed post-upgrade, but worth monitoring controller metrics after rollout to confirm stabilization.

Key changes (5)
  • Multiple CVEs patched: CVE-2026-24051, CVE-2026-15558, CVE-2026-1229, CVE-2026-33186, CVE-2026-34986, CVE-2026-4789 — plus Go stdlib CVE bumps
  • HTTP disabled by default in namespaced policies (CVE-2026-4789) — behavioral change for existing namespaced policy configurations
  • ConfigMap access restricted for namespaced policies — scope reduction to limit blast radius
  • Webhook reconciliation loop fixed: webhooks and webhook rules now maintain consistent ordering to prevent endless reconciliation cycles
  • forEach mutation engine panic prevented, wrong lister for NamespacedGeneratingPolicy on UPDATE fixed, and user info handling added to MutatingPolicy/ValidatingPolicy
Source

cert-manager

SecurityApr 21, 2026

Pure security patch: Go runtime bumped to 1.23.9 and vulnerable dependencies updated. No functional changes — upgrade is the only action needed.

  • securityUpgrade to v1.19.5 immediately — this is a pure CVE fix

    The cert-manager team explicitly recommends all users upgrade. The changes are limited to Go runtime and dependency bumps, so there is no functional risk in upgrading. If you are on any v1.19.x release, this is a straight swap with no migration steps. Check your deployment method (Helm, static manifests, OperatorHub) and roll it out to all clusters. Delaying leaves your cert-manager pods running with known vulnerable Go packages.

Key changes (3)
  • Go runtime upgraded from an older 1.23.x to 1.23.9 to address multiple CVEs in the Go toolchain
  • Third-party Go dependencies with reported vulnerabilities bumped to patched versions
  • No API, behavioral, or configuration changes — drop-in replacement for v1.19.x
Source

Kubescape

SecurityApr 17, 2026

Kubescape v4.0.5 is a routine maintenance release: Go toolchain update plus dependency bumps. No new features or bug fixes.

  • securityUpgrade to pick up Go runtime and dependency CVE fixes

    Go version bumps often patch stdlib vulnerabilities (e.g., net/http, crypto) that affect compiled binaries. If you're running Kubescape as a cluster component or in CI pipelines, pull this update. Check your current version with 'kubescape version' and replace the binary or update your container image tag. Low effort, low risk.

  • enhancementPin to this patch version in your automation

    If you're using Kubescape in CI/CD security scanning pipelines, update your pinned version to v4.0.5 to stay current with the dependency graph. This is especially relevant if your org has SCA tooling that flags transitive dependency staleness in scan tooling itself — a common audit finding.

Key changes (3)
  • Go version updated to address potential toolchain-level vulnerabilities and compatibility
  • Dependency versions bumped across go.mod/go.sum
  • No functional changes, API changes, or new features introduced
Source

Kubescape

SecurityApr 17, 2026

v4.0.4 is a dependency maintenance release with security-relevant library bumps across gRPC, go-git, cloudflare/circl, go-jose, and hashicorp/go-getter, plus minor CLI bug fixes.

  • securityUpgrade immediately due to security-sensitive dependency updates

    Several updated libraries — hashicorp/go-getter, cloudflare/circl, go-jose, and go-git — have histories of CVEs covering path traversal, cryptographic weaknesses, and JWT attacks. While Kubescape's release notes don't call out specific CVEs, the jump from go-getter 1.7.9 to 1.8.6 and go-git 5.16.5 to 5.17.1 are both large version gaps. If you run Kubescape in CI pipelines or as part of automated scanning, update to v4.0.4 now rather than waiting for a scheduled maintenance window.

  • enhancementHelm 3.20.2 and gRPC 1.79.3 bring compatibility improvements

    The Helm SDK bump to 3.20.2 means Kubescape's chart scanning logic stays aligned with current Helm releases. If your clusters use recent Helm chart features, earlier Kubescape versions may have produced incomplete or inaccurate scan results. Rerun chart-level scans after upgrading to confirm coverage.

  • enhancementFix for duplicate flags in `scan image` — check any wrapper scripts

    If you have shell scripts or CI configs that pass flags explicitly to `kubescape scan image`, the duplicate-flag bug could have caused unexpected behavior or silent flag ignoring. After upgrading, verify your pipeline invocations still produce expected output.

Key changes (5)
  • hashicorp/go-getter bumped from 1.7.9 to 1.8.6 — this library has a history of security CVEs around path traversal and SSRF
  • cloudflare/circl updated from 1.6.1 to 1.6.3, addressing cryptographic library fixes
  • go-jose/go-jose updated to 4.1.4, patching JWT/JWE handling issues
  • go-git bumped to 5.17.1 — prior versions had known git protocol vulnerabilities
  • Duplicate CLI flags removed from `scan image` subcommand, and error handling improved
Source

Keycloak

SecurityApr 15, 2026

26.6.1 is a security patch release fixing two CVEs — blind SSRF and user enumeration — plus a critical migration bug that broke authentication flows when upgrading from older versions.

  • securityPatch immediately for SSRF and user enumeration CVEs

    Two CVEs in 26.6.0 (and earlier) need your attention. CVE-2026-4366 allows blind SSRF through HTTP redirect handling — a real risk if Keycloak can reach internal services. CVE-2026-4633 leaks user existence through identity-first login, which aids credential stuffing. Upgrade to 26.6.1 now. If you can't upgrade immediately, consider disabling identity-first login as a short-term mitigation for CVE-2026-4633.

  • breakingIf you upgraded to 26.6.0, check your custom authentication flows immediately

    The MigrateTo26_6_0 migration script had a bug that modified custom browser flows, potentially breaking realm authentication silently. If you upgraded to 26.6.0 and noticed login failures or unexpected flow behavior, this is why. Upgrading to 26.6.1 fixes the migration, but you may need to manually review and repair any already-affected custom flows in your realms. Audit them before upgrading in production.

  • breaking26.6.0 JS/Java admin clients were broken — use 26.6.1 packages

    Both @keycloak/keycloak-admin-client (JS) and the Java admin client had packaging issues in 26.6.0 that prevented installation or sync. If your pipelines or applications depend on these libraries and you pinned to 26.6.0, they are likely broken. Update your dependency references to 26.6.1 immediately.

Key changes (5)
  • CVE-2026-4366: Blind SSRF via HTTP redirect handling in core — attackers could probe internal network resources
  • CVE-2026-4633: User enumeration via identity-first login — leaks whether usernames exist in the system
  • MigrateTo26_6_0 bug fixed: upgrading to 26.6.0 was silently corrupting custom browser authentication flows in existing realms
  • Infinite redirect loop fixed when IdP returns access_denied with kc_idp_hint set
  • Database at-rest encryption support added; CloudNativePG operator updated to 1.29
Source

cert-manager

SecurityApr 11, 2026

Patch release fixing a Helm chart YAML generation bug when webhook.config and webhook.volumes are both set, plus Go 1.26.2 upgrade to address dependency vulnerabilities.

  • securityDependency vulnerabilities patched — upgrade to get the fixes

    The Go runtime and dependencies were bumped specifically to address reported CVEs. The release notes don't call out specific CVE IDs, but don't let that slow you down — cert-manager sits in a privileged position in your cluster handling certificate issuance, so keeping it current on security patches is non-negotiable. Schedule an upgrade in your next maintenance window.

  • breakingUpgrade immediately if you use both webhook.config and webhook.volumes

    If your Helm values set both webhook.config and webhook.volumes, the chart has been generating invalid YAML — meaning your webhook may have silently deployed with incorrect configuration. Upgrade to v1.20.2 and redeploy, then verify the webhook pod is running with the expected volume mounts and config.

Key changes (3)
  • Fixed invalid YAML output in Helm chart when both webhook.config and webhook.volumes are defined simultaneously
  • Go runtime bumped to 1.26.2
  • Go dependencies updated to resolve reported vulnerabilities
Source

OpenFGA

SecurityApr 10, 2026

v1.14.1 patches a host-header poisoning vulnerability in AuthZEN discovery and removes a vulnerable Docker dependency, plus minor ListObjects performance gains.

  • securityPatch the AuthZEN host-header poisoning vulnerability now

    The AuthZEN well-known discovery endpoint was returning URLs built from the request's Host header. An attacker could poison this to redirect clients to a malicious endpoint. If you expose the AuthZEN discovery metadata publicly, upgrade to v1.14.1 immediately. No config change needed — the fix is automatic once upgraded, as long as authzen.baseURL is correctly set in your server config.

  • securityAudit your image builds if you ship the OpenFGA test binary

    The github.com/docker/docker package carries known CVEs and was only used in test code. Production builds are unaffected, but if your pipeline somehow includes test binaries or vendor directories in container images, verify they no longer include the vulnerable package after upgrading.

  • enhancementSet an explicit server shutdown timeout for Kubernetes workloads

    The new shutdown timeout config option lets you control how long OpenFGA waits to drain in-flight requests before exiting. Without this, abrupt shutdowns can cause request errors during pod restarts. Set this to slightly less than your Kubernetes terminationGracePeriodSeconds to ensure clean handoff.

Key changes (5)
  • Security fix: AuthZEN discovery metadata now uses configured baseURL instead of request-supplied host headers, closing a host-header poisoning attack vector
  • Removed vulnerable github.com/docker/docker test dependency, replaced with Moby client & API
  • Configurable server shutdown timeout added — useful for graceful drain in Kubernetes environments
  • ListObjects heap allocations reduced, yielding minor but real latency improvements
  • Cache key generation faster by dropping fmt usage and extending control-character sanitization to tuples, conditions, and context
Source

Falco

SecurityApr 9, 2026

Falco 0.43.1 is a minimal patch release bumping libs to 0.23.2 and the container plugin to 0.6.4. No functional changes, no bug fixes — purely a dependency update.

  • enhancementUpdate if you care about container plugin fixes in 0.6.4

    This release exists primarily to ship the container plugin 0.6.4 update alongside libs 0.23.2. If your environment relies on container metadata enrichment in Falco rules, check the container plugin 0.6.4 changelog for fixes that may affect your alerting fidelity. Otherwise, upgrading from 0.43.0 is low risk and low urgency — treat it as a routine dependency bump.

Key changes (4)
  • libs bumped from previous version to 0.23.2
  • container plugin bumped to 0.6.4
  • driver remains at 9.1.0+driver
  • single merged PR, all user-facing
Source

Keycloak

SecurityApr 8, 2026

Keycloak 26.6.0 graduates several preview features to fully supported — JWT Authorization Grant, Federated Client Auth, Workflows, and zero-downtime patch releases — while fixing a notable set of security bugs across UMA, SCIM, and Organizations.

  • securityPatch SCIM and UMA vulnerabilities immediately

    Two separate SCIM bugs allowed IDOR-style resource modification and authorization bypass in group management. UMA permission grant accepted expired ID tokens and tokens issued to other clients. These are fixed in 26.6.0. If you use SCIM or UMA, upgrade now — no config change needed, but verify your SCIM plugin/extension is compatible with the new validation.

  • breakingSwitch to KCRAW_ prefix if secrets contain $ characters

    If you inject passwords or secrets via environment variables and they contain $ characters (e.g., from a secrets manager), the KC_ prefix silently mangles them via SmallRye expression evaluation. Use KCRAW_<KEY> instead of KC_<KEY> to preserve literal values. Audit your current env var injection before upgrading — any secrets with ${ or $$ patterns may have been silently broken in prior versions.

  • enhancementEnable zero-downtime rolling updates in your Operator deployments

    Zero-downtime patch releases are now on by default. If you run Keycloak via the Operator, explicitly set the update strategy to Auto to benefit. Also review the new graceful HTTP shutdown defaults (1s delay, 1s timeout) — adjust these upward if your reverse proxy takes longer to drain connections, especially in non-Kubernetes setups with longer-lived connections.

Key changes (7)
  • JWT Authorization Grant (RFC 7523) and Federated Client Authentication are now GA, enabling external-to-internal token exchange without managing per-client secrets
  • Zero-downtime patch releases are now enabled by default; Operator users should set update strategy to Auto
  • New KCRAW_ environment variable prefix prevents SmallRye from mangling passwords containing $ characters — addresses a silent data-corruption bug
  • UMA permission grant now rejects expired ID tokens and tokens issued to different clients (security fixes #46716, #46717)
  • SCIM IDOR bug fixed: PUT endpoint no longer allows resource modification via body ID override (#46658); SCIM authorization bypass in group management also patched (#47536)
  • OTP and password brute-force protection separated by default to prevent OTP bypass attacks (#46164)
  • Keycloak and KeycloakRealmImport CRDs promoted to v2beta1
Source

OpenFGA

SecurityApr 3, 2026

v1.14.0 fixes a potential deadlock in ListObjects, improves intersection algorithm performance, and adds BatchCheck caching — plus a SQL serialization bug fix that affects PostgreSQL users.

  • securityPostgreSQL users: apply the SQL serialization fix

    The TupleOperation serialization and pgx.ErrNoRows fixes could cause silent data inconsistencies or incorrect error handling in PostgreSQL deployments. If you're running OpenFGA on Postgres, this fix alone justifies upgrading. Verify your tuple write/read behavior post-upgrade.

  • breakingReview CVE-2026-33729 and upgrade immediately

    The changelog explicitly references CVE-2026-33729. The release notes don't detail the full scope, but a CVE update in a patch/minor release demands immediate attention. Upgrade to v1.14.0 now and audit your deployment's exposure before the CVE details become widely known.

  • enhancementListObjects deadlock fix is critical for high-concurrency workloads

    A deadlock in the ListObjects pipeline is the kind of bug that only shows up under real production load. If you use ListObjects extensively — especially with concurrent callers — this fix is essential. After upgrading, stress-test ListObjects under your typical concurrency patterns to confirm stability.

  • enhancementBatchCheck caching reduces authorization latency at scale

    If your application calls BatchCheck repeatedly with overlapping tuples or conditions, the new caching layer will cut latency and backend load. No configuration changes are mentioned, so the benefit should be automatic — but monitor cache behavior through the new tuple iterator query stats to validate the improvement in your environment.

Key changes (5)
  • Fixed a potential deadlock in the ListObjects pipeline algorithm, improving reliability under concurrent load
  • Intersection algorithm rewritten for lower latency and reduced memory usage
  • BatchCheck results now cached, reducing redundant authorization checks
  • SQL TupleOperation serialization bug and pgx.ErrNoRows error handling fixed for PostgreSQL backends
  • Tuple iterator query stats added for better observability into database query behavior
Source

Keycloak

SecurityApr 2, 2026

26.5.7 is a critical security release patching 7 CVEs, including privilege escalation, redirect URI bypass, and unauthorized cross-user permission grants. Upgrade immediately.

  • securityPatch now — multiple high-severity CVEs in this release

    Seven CVEs are fixed here, spanning privilege escalation (CVE-2026-4282), redirect URI bypass (CVE-2026-3872), cross-user permission injection (CVE-2026-4636), and an unauthenticated DoS via scope processing (CVE-2026-4634). These aren't theoretical — attackers with basic access or even anonymous access could exploit several of these. Upgrade to 26.5.7 as fast as your change process allows. If you use UMA policies or expose the Admin REST API, treat this as an emergency patch.

  • securityAudit Admin REST API access and UMA policy configurations post-upgrade

    CVE-2025-14083 (Admin API info disclosure) and CVE-2026-4636 (UMA cross-user permission grants) suggest that access controls around admin and UMA endpoints were not properly enforced. After upgrading, review which clients and service accounts have Admin REST API access, and audit your UMA resource/policy definitions for unexpected grants. Don't assume the patch alone closes the exposure if misconfigured principals already exploited these paths.

  • enhancementQuarkus upgraded to 3.27.3 — monitor for runtime behavior changes

    The Quarkus runtime bump also pulls in a fix for CVE-2026-1002 (vertx-core static handler cache manipulation causing DoS on static files). If you serve static content through Keycloak or have customized themes, verify those assets load correctly after upgrade. Quarkus minor upgrades occasionally shift default configurations, so a smoke test on your login flows is worth running.

Key changes (5)
  • CVE-2025-14083: Admin REST API improper access control leaks information to unauthorized callers
  • CVE-2026-4282: Forged authorization codes possible due to SingleUseObjectProvider isolation flaw — privilege escalation risk
  • CVE-2026-3872: Redirect URI validation bypassed via ..;/ path traversal in the OIDC auth endpoint
  • CVE-2026-4636: UMA policy resource injection allows unauthorized cross-user permission grants
  • CVE-2026-4634: Application-level DoS via scope processing — no authentication required to trigger
Source
Browse by month