RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Mar 2026Clear ×

etcd

Kubernetes CoreMar 20, 2026

etcd v3.6.9 is a maintenance release. The release notes are sparse — check the full CHANGELOG for the actual diff before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.6.9 contain no change details. Before upgrading any etcd cluster, pull up CHANGELOG-3.6.md directly and diff the entries since your current version. The 3.6 series has known breaking changes, and skipping this step on a stateful system like etcd is a real risk.

  • enhancementVerify container image source if you pull from quay.io

    etcd's primary registry is gcr.io/etcd-development/etcd. If your pipelines pull from quay.io/coreos/etcd, confirm that image is current and matches the gcr.io digest. Secondary registries can lag. Pin by digest, not just tag, to avoid silent version mismatches.

Key changes (4)
  • Release notes do not enumerate specific changes; full details are in the CHANGELOG-3.6.md
  • Upgrade guide should be reviewed prior to upgrading due to potential breaking changes in the 3.6 series
  • Primary container image available via gcr.io/etcd-development/etcd; quay.io/coreos/etcd remains the secondary registry
  • Supported platform matrix may have been updated — verify your architecture/OS combo before deploying
Source

etcd

Kubernetes CoreMar 20, 2026

etcd v3.5.28 is a patch release in the 3.5 series. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.5.28 contain no actual change details. Before upgrading any etcd cluster, pull the full CHANGELOG-3.5.md from the etcd repo and review entries since your current version. Skipping this on a stateful system like etcd is a real risk.

  • enhancementStick to the primary container registry for pulls

    gcr.io/etcd-development/etcd is the authoritative image source. quay.io/coreos/etcd is secondary and may lag. If your cluster pulls from quay.io, verify the image digest matches the primary before deploying in production.

Key changes (4)
  • Patch release in the 3.5 stable series
  • Full change details available only in the CHANGELOG-3.5.md, not surfaced in the release notes directly
  • Container images available via gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before deploying — breaking changes may be present
Source

etcd

Kubernetes CoreMar 20, 2026

etcd v3.4.42 is a maintenance release on the 3.4 branch. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist. On a 3.4.x patch bump this is unlikely but not impossible — particularly around snapshot or WAL handling. Verify the upgrade guide is clean for your version before rolling out to production clusters.

  • enhancementReview the full CHANGELOG before upgrading

    The release notes published here are essentially empty. Before applying this update to any environment, pull the CHANGELOG-3.4.md directly from the etcd repo to understand what bug fixes or patches are included. Blind upgrades on a critical consensus store are a bad idea.

Key changes (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md
  • Upgrade guide should be reviewed for any breaking changes before applying
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
Source

Harbor

Storage & DataMar 20, 2026

Harbor v2.15.0 delivers proxy cache connection limits, per-endpoint CA certs, Cosign v3 bundle support, and a critical bearer token security fix alongside a Trivy supply chain incident bump.

  • securityUpdate immediately: Trivy supply chain incident and bearer token bypass

    Two separate security issues landed in this release. First, Trivy was bumped to v0.69.3 after a supply chain incident affecting the scanner — run this update before your next scan cycle. Second, the bearer token fix rejects tokens issued before their associated project was created, which plugs an authorization gap. Both issues warrant prompt upgrades rather than waiting for a maintenance window.

  • breakingGCR replication adapter removed — migrate any existing GCR replication rules

    The Google Container Registry adapter is gone. If you have replication rules targeting GCR endpoints, they will break silently after upgrading. Migrate those rules to use Artifact Registry (GAR) endpoints before upgrading to v2.15.0. Also, if you were using proxy cache projects pointed at GCR, those need to be reconfigured.

  • enhancementCap proxy cache upstream connections to protect upstream registries

    The new `max_upstream_conn` parameter lets you throttle outbound connections per proxy cache project. If you're running Harbor as a pull-through cache for Docker Hub or other rate-limited registries, set this to avoid hitting upstream rate limits or overwhelming self-hosted registries. Configure it per-project via the UI or API after upgrading.

Key changes (7)
  • Proxy cache projects now support configurable upstream connection limits via `max_upstream_conn` parameter, controllable through the UI
  • Per-endpoint CA certificate support added for registry endpoints, useful for private registries with custom PKI
  • Bearer tokens issued before project creation are now rejected — closes a subtle authorization bypass
  • Trivy bumped to v0.69.3 following a supply chain incident; this was a reactive security response, not a routine update
  • Cosign v3 Bundle signature format supported, and Harbor release artifacts are now signed with Cosign keyless signing
  • GCR replication adapter removed since Google Cloud Registry accounts are decommissioned
  • Audit log to DB can now be disabled at initialization, reducing write load for high-throughput environments
Source

OpenFGA

SecurityMar 19, 2026

v1.12.1 is a focused maintenance release fixing OTLP endpoint URI parsing and improving ListObjects pipeline internals with Go native channels.

  • breakingOTLP https:// scheme now forces TLS regardless of your config flag

    If you set OTEL_EXPORTER_OTLP_ENDPOINT with an https:// scheme, TLS will be enabled even if trace.otlp.tls.enabled is false. Audit your observability configs before upgrading — any environment using https:// endpoints with TLS explicitly disabled will now have TLS enabled. This is almost certainly the correct behavior, but verify your collector setup accepts TLS connections.

  • enhancementOTLP endpoint URIs with schemes finally work — clean up your workarounds

    Previously, passing a full URI like http://host:4317 to OTEL_EXPORTER_OTLP_ENDPOINT would break because the scheme wasn't stripped before reaching the gRPC exporter. If you've been working around this by omitting the scheme, you can now use standard URI formats. Update your deployment configs and remove any manual scheme-stripping logic.

  • enhancementListObjects performance improvement — no action needed, just upgrade

    Replacing the custom Pipe implementation with Go native channels reduces internal complexity and can improve throughput for ListObjects calls under concurrent load. No API changes, no config changes needed. The tuple validation refactor compounds this. If you're running OpenFGA at scale with heavy ListObjects usage, this patch is worth taking.

Key changes (4)
  • ListObjects pipeline now uses Go native channels instead of a custom Pipe implementation — cleaner concurrency, better debuggability
  • Tuple validation and manipulation functions refactored for better performance under load
  • grpc-go bumped to v1.79.3 and grpc-health-probe to v0.4.47 — dependency hygiene
  • OTEL_EXPORTER_OTLP_ENDPOINT now correctly handles URIs with schemes like http:// or https://, stripping the scheme before passing to gRPC exporter
Source

Linkerd

Networking & MessagingMar 19, 2026

A routine dependency-heavy edge release: two proxy bumps (v2.343.0, v2.344.0), Go 1.25.8 upgrade, rustls update, and proxy-init 2.4.6 — no feature additions or breaking changes.

  • securityrustls patch update — pull this into your proxy builds

    rustls went from 0.23.35 to 0.23.37 in the proxy. Two patch versions in one release suggests active bug or security fixes in the TLS layer. If you're running older edge releases, this is a good reason to roll forward. No CVE was cited, but TLS library patches should never be delayed in a service mesh context.

  • enhancementTwo proxy versions landed — check the proxy changelog separately

    This release ships proxy v2.343.0 and v2.344.0 in sequence, meaning two rounds of proxy changes are bundled in. The release notes don't detail what changed in each proxy version. If you're tracking proxy behavior closely (routing, observability, protocol detection), check the linkerd2-proxy repo's changelog for these two versions before deploying.

  • enhancementGo 1.25.8 in the control plane — standard maintenance upgrade

    The control plane is now on Go 1.25.8. This is a patch release of Go and likely includes minor runtime fixes. No action required unless you're building custom tooling against Linkerd's Go modules — in that case, align your toolchain accordingly.

Key changes (5)
  • Proxy bumped twice to v2.343.0 then v2.344.0 within this release cycle
  • Go runtime upgraded to 1.25.8 across the control plane
  • rustls updated from 0.23.35 to 0.23.37 — patch-level TLS library update in the proxy
  • proxy-init bumped from 2.4.5 to 2.4.6
  • openssl-sys and grpc dependencies updated (0.9.112 and 1.79.3 respectively)
Source

Dapr

Orchestration & ManagementMar 19, 2026

Dapr v1.17.2 is a high-priority patch with three Go stdlib CVE fixes, a CRD breaking change requiring manual update, and fixes for cascading actor placement failures and streaming OOM issues.

  • securityUpgrade immediately to patch three Go stdlib CVEs

    Go 1.24.x carried GO-2026-4601 (IPv6 SSRF via net/url), GO-2026-4602 (path escape via os.Root), and GO-2026-4603 (XSS via html/template). If your Dapr sidecars handle user-supplied URLs or template rendering in any adjacent service, exposure is real. Upgrade to v1.17.2 now — the fix is a Go toolchain bump, so no code changes are needed on your end.

  • breakingManually update CRDs before Helm upgrade or daprd will fail to start

    The `stateRetentionPolicy` fields in the Configuration CRD changed from `type: integer` to `type: string`. Helm does not update CRDs automatically. If you run `helm upgrade` without updating the CRD first, any existing Configuration objects using duration strings will fail Kubernetes validation and daprd may fail to load its config. Run the CRD update step from the Kubernetes upgrade guide before touching Helm. If you're not using workflow state retention policies today, the risk is lower, but update the CRD anyway to stay consistent.

  • enhancementLarge actor deployments and streaming workloads should prioritize this patch

    Two fixes deserve immediate attention beyond security. First, deployments with 50+ actor replicas were hitting cascading dissemination timeouts in 1.17.x — the placement service batching fix in this release resolves that. Second, any service invocation path passing large or streaming bodies (file uploads, SSE, chunked data) was silently OOM-killing sidecars by buffering everything in memory. Both are now fixed. If either pattern applies to your workload, treat this upgrade as urgent rather than routine.

Key changes (5)
  • Three Go stdlib CVEs fixed (XSS in html/template, path escape in os.Root, IPv6 parsing in net/url) by upgrading to Go 1.25.8
  • Breaking change: Workflow state retention policy CRD fields corrected from integer to string type — manual CRD update required before Helm upgrade
  • Actor placement dissemination fixed for large deployments (50+ replicas) — cascading timeout loop now resolved
  • Service invocation no longer buffers entire streaming request/response bodies in memory, preventing sidecar OOM kills
  • Pub/sub messages no longer routed to dead-letter queue during graceful shutdown; bulk publish now applies namespace prefix correctly
Source

Operator Framework

Orchestration & ManagementMar 19, 2026

Patch release bumping grpc from 1.78.0 to 1.79.3 and updating the Ansible operator plugin. Minimal surface area — safe to adopt quickly.

  • securityUpgrade for gRPC dependency fix

    The grpc bump from 1.78.0 to 1.79.3 spans two minor versions and likely includes bug fixes that could affect stability or security of operator-to-registry communication. gRPC CVEs and transport-layer issues have historically been silent but impactful. Review the grpc changelog for your risk profile, then upgrade — this patch is low-risk and the dependency delta is well-contained.

  • enhancementAnsible plugin users should rebuild operator images

    If you maintain Ansible-based operators, the plugin update in this release means your scaffolded or generated code may drift from the current baseline. After upgrading the SDK, re-run scaffolding checks or regenerate any plugin-managed files to stay aligned. Not urgent, but worth doing before your next operator release cycle.

Key changes (3)
  • google.golang.org/grpc bumped from 1.78.0 to 1.79.3 via dependabot
  • Ansible operator plugin updated to match v1.42.2 release
  • Post-release generated file sync from v1.42.1
Source

Keycloak

SecurityMar 19, 2026

Keycloak 26.5.6 is a critical security release patching 8 CVEs spanning SSRF, token reuse, IDOR, privilege escalation, and multiple information disclosure vulnerabilities. Upgrade immediately.

  • securityPatch all 8 CVEs — upgrade to 26.5.6 now

    This release fixes eight CVEs covering SSRF, token replay, privilege escalation, IDOR, and multiple information disclosure paths. Three of these (SSRF via jwks_uri, privilege escalation via manage-clients, and auth session contamination) are particularly dangerous in multi-tenant or public-facing deployments. There is no workaround — upgrade is the only fix. If you're on any 26.x version, treat this as an emergency patch.

  • securityAudit manage-clients grants and OIDC Dynamic Client Registration usage

    CVE-2026-3121 (privilege escalation via manage-clients) and CVE-2026-1180 (SSRF via jwks_uri in dynamic client registration) both require reviewing your current permission grants and feature flags. After upgrading, audit which users/service accounts hold manage-clients. If you don't use OIDC Dynamic Client Registration, disable it at the realm level to eliminate the SSRF attack surface entirely.

  • breakingVerify Operator DB config and multi-realm startup behavior post-upgrade

    The 26.5.0 Operator regression for DB targetServerType=primary (affecting master-replica failover) and the O(N²) startup scan introduced in 26.5.4 are both fixed here. If you hit either of these bugs, validate your DB connection failover behavior and startup times after upgrading. Large deployments with many realms should see noticeably faster restarts.

Key changes (6)
  • CVE-2026-1180: Blind SSRF via OIDC Dynamic Client Registration jwks_uri — attackers can probe internal network endpoints
  • CVE-2026-1035: Refresh token reuse bypass via TOCTOU race condition — token replay attacks become possible
  • CVE-2026-3121: Privilege escalation via manage-clients permission — low-privilege users may gain elevated access
  • CVE-2025-14777: IDOR in realm client create/delete — unauthorized cross-realm client manipulation
  • Bug fix: AUTH_SESSION_ID cookie reuse caused cross-user session contamination on re-authentication — a serious data isolation issue
  • Bug fix: O(N²) startup regression with many realms introduced in 26.5.4 is resolved — large deployments were severely impacted
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.35.3 is a small patch with two kubeadm bug fixes and one DRA eviction status reporting cleanup. Low risk, safe to apply.

  • enhancementUpgrade kubeadm-managed clusters to fix etcd learner endpoint bug

    The etcd learner member fix is the most operationally relevant change here. If you use kubeadm and have experienced etcd client connectivity issues during node join/promotion operations, this patch addresses the root cause. Schedule an upgrade during your next maintenance window — no config changes required, just a kubeadm binary update.

  • enhancementkubeadm reset is more reliable on systems with peer mounts

    If your node reset automation was failing on environments where /var/lib/kubelet has peer mounts (common in certain container runtimes or nested mount configurations), this fix prevents those EINVAL errors from blocking the reset process. Worth upgrading if you've seen unexplained reset failures.

Key changes (3)
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding spurious failures on reset
  • DRA device taint eviction controller fixes a misleading status message that double-counted pod evictions in intermediate states
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.34.6 is a minimal patch fixing two kubeadm bugs: etcd learner endpoints and a kubelet unmount error during cluster reset.

  • enhancementUpgrade if you run kubeadm-managed clusters with etcd membership changes

    The etcd learner fix matters any time you add etcd members — a learner node (not yet a voting member) being included in client endpoints could cause request failures during the promotion window. If you've seen intermittent etcd client errors during node additions, this patch resolves it. Otherwise, apply at your normal patch cadence.

  • enhancementUpgrade if kubeadm reset fails on your nodes

    The EINVAL unmount fix addresses a real pain point: kubeadm reset aborting mid-way when certain bind mounts under /var/lib/kubelet can't be cleanly unmounted. This tends to show up on nodes with overlapping mount namespaces or specific filesystem setups. If you've had to manually clean up after a failed reset, this patch removes that friction.

Key changes (3)
  • kubeadm no longer adds etcd learner members to client endpoint lists, preventing potential routing errors during etcd membership changes
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, fixing failures on certain kernel/filesystem configurations
  • No dependency changes — this is a pure bug fix release
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.33.10 is a small patch fixing a kube-controller-manager nil pointer crash in ValidatingAdmissionPolicy and two kubeadm operational bugs. No dependency changes.

  • breakingPatch immediately if you use ValidatingAdmissionPolicy with open schemas

    Any ValidatingAdmissionPolicy referencing an object schema with `additionalProperties: true` will crash kube-controller-manager outright — not degrade gracefully. If you're running v1.33.x and using VAP, check your policies now. Upgrade to v1.33.10 before deploying any new policies with open schemas, or you risk taking down the controller manager.

  • enhancementkubeadm etcd learner fix matters for HA cluster joins

    When adding control plane nodes, etcd temporarily registers new members as learners. The previous behavior incorrectly included learner endpoints in the etcd client pool, which could cause client errors during promotion. If you run kubeadm-managed HA clusters and have experienced intermittent etcd client failures during control plane joins, this patch resolves it. Upgrade before your next control plane scaling operation.

  • enhancementkubeadm reset now handles stubborn bind mounts cleanly

    On nodes with bind-mounted /var/lib/kubelet directories, `kubeadm reset` previously failed with EINVAL during unmount, leaving cleanup incomplete. The fix silently ignores EINVAL — which is expected for peer mounts — so resets complete cleanly. Useful if you automate node decommissioning with kubeadm reset in scripts.

Key changes (3)
  • ValidatingAdmissionPolicy: schemas with `additionalProperties: true` no longer crash kube-controller-manager with a nil pointer exception
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now gracefully handles EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding false failures
Source

Cloud Custodian

SecurityMar 18, 2026

A broad feature release adding 12+ new AWS resources, new upgrade-available filters for EKS/Elasticsearch, Azure Entra ID resources, and GCP Vertex AI support. Several bug fixes address S3 cache staleness, GuardDuty validation, and IAM user errors.

  • enhancementAudit EKS and Elasticsearch upgrade readiness now

    The new upgrade-available filter for both EKS and Elasticsearch means you can write policies that flag clusters where a newer version exists. If you've been tracking version compliance manually, replace that with a c7n policy using the upgrade-available filter and route matches to notify or tag. Good timing before any end-of-support deadlines.

  • enhancementAdd whitelist_patterns to cross-account filters using deleted principals

    If your cross-account policies flag deleted IAM principals as violations, you've likely been dealing with false positives. The new whitelist_patterns parameter on the cross-account filter lets you skip ARN patterns for known-deleted or transient principals. Review your existing cross-account policies and add patterns for any deleted accounts or service-linked roles you see repeated in output.

  • enhancementAudit Azure Entra ID security posture with new resource types

    Four new Entra ID resource types — conditional-access-policy, authorization-policy, named-location, security-defaults — are now queryable. If you manage Azure security baselines, write policies to check that security defaults are enabled and conditional access policies match your org's requirements. This fills a gap that previously required separate tooling.

Key changes (5)
  • New upgrade-available filters for EKS and Elasticsearch let you proactively find clusters running outdated versions
  • 12 new AWS resource types added: savings-plan, vpc-lattice-listener, directconnect-gateway, bedrock-inference-profile, transfer-connector, and more
  • Azure Entra ID resources now manageable: conditional-access-policy, authorization-policy, named-location, and security-defaults
  • GCP gains Vertex AI resources (endpoint, batch-prediction-job) and expanded set-labels support across BigQuery, BigTable, KMS, and GCS buckets
  • cross-account filter gets whitelist_patterns to skip deleted IAM principals, and org-id + wildcard joint conditions now handled correctly
Source

SPIRE

SecurityMar 18, 2026

v1.14.3 patches a TLS session resumption bypass that could skip certificate chain validation, plus fixes node cache rebuild and several reliability issues in AWS and federation scenarios.

  • securityUpgrade immediately to fix TLS session ticket bypass

    TLS session resumption on SPIRE Server's TCP endpoint was allowing reconnecting clients to skip SPIFFE certificate chain validation — meaning a client with an expired or revoked cert could potentially reconnect without re-validation against the current trust bundle. This is a meaningful trust boundary violation. Upgrade to v1.14.3 now. No config change needed; the fix disables session tickets server-side automatically.

  • securitySelector data no longer leaks into agent logs

    Selectors can encode workload identity details (e.g., Kubernetes pod labels, Unix UIDs, AWS metadata) that you may not want in logs. Previously, these were logged at agent level. After upgrading, audit your existing log pipelines and retention policies — any historical logs may still contain this data.

  • breakingPQC users must migrate from Kyber draft to X25519MLKEM768

    If you've enabled RequirePQKEM TLS policy, the underlying algorithm changes from the draft x25519Kyber768Draft00 to the standardized X25519MLKEM768. Both peers must be running v1.14.3+ before this takes effect, otherwise TLS handshakes will fail. Plan a coordinated upgrade of agents and server if you're using this policy.

  • enhancementNode cache rebuild fix is critical for long-running agents

    The periodic node cache rebuild was executing only once after startup instead of on its configured interval. Over time, agents in environments with frequent workload changes would serve stale cache data. This is silently fixed in v1.14.3 — no config changes needed, but you should upgrade agents promptly, especially in dynamic environments.

Key changes (5)
  • TLS session ticket resumption on server TCP endpoints disabled — was allowing connections to bypass SPIFFE certificate chain validation against the current trust bundle
  • Selectors no longer logged at agent level to prevent sensitive info leakage
  • RequirePQKEM policy updated from draft x25519Kyber768Draft00 to standardized X25519MLKEM768
  • Node cache periodic rebuild was silently running only once — now correctly loops at configured interval
  • ReadOnlyEntry.Clone() bug fixed: Admin boolean was bleeding into Downstream field, corrupting authorization metadata for GetAuthorizedEntries/SyncAuthorizedEntries clients
Source

Litmus

ObservabilityMar 18, 2026

Litmus 3.27.0 ships Job targeting for chaos experiments and fixes a cluster of stability bugs: nil pointer crashes, GitOps deadlocks, race conditions, and probe detection failures.

  • breakingGitOps two-way sync was silently broken — verify your sync state after upgrading

    The GitOps sync handler goroutine was disabled, meaning changes in Git were not propagating back to Litmus in two-way mode. After upgrading to 3.27.0, manually trigger a sync and confirm experiment state matches your Git source of truth. Any drift that accumulated should be reconciled.

  • enhancementTarget Kubernetes Jobs in chaos experiments

    If your team runs batch workloads or CI pipelines as Kubernetes Jobs, you can now inject chaos directly into them. Update your experiment manifests to reference Job resources and validate resilience of batch processing paths — something previously impossible without workarounds.

  • enhancementMultiple nil pointer and race condition fixes reduce silent failures

    At least three separate nil pointer dereferences are fixed in this release (subscriber, QueryServerVersion, YAML parser), plus experiment run race conditions. If you've seen intermittent crashes or experiments stuck in inconsistent states, upgrading is the straightforward fix — no config changes needed.

Key changes (5)
  • New: Kubernetes Jobs can now be targeted in chaos experiments, expanding workload coverage beyond Deployments and StatefulSets
  • 503 returned when MongoDB is down, enabling probes to correctly detect infrastructure failures instead of hanging
  • Subscriber crash on Workflow ADD events (nil pointer dereference) fixed — previously could silently break experiment scheduling
  • GitOps deadlock in GitMutexLock.Unlock resolved, and the GitOps sync handler goroutine re-enabled to restore two-way sync
  • CMD probe command limit raised from 1024 characters, unblocking complex probe scripts
Source

Backstage

CI/CD & App DeliveryMar 17, 2026

v1.49.0 is a landmark release: the New Frontend System hits 1.0 RC, the CLI becomes extensible via modules, and there are multiple breaking changes in UI components, integrations, and entity cards requiring migration work.

  • breakingMigrate entity cards and BUI components before upgrading `@backstage/plugin-catalog`

    The major version bump on `@backstage/plugin-catalog` means direct action is required. Remove all `variant` prop usage from EntityAboutCard, EntityLinksCard, EntityLabelsCard, GroupProfileCard, and UserProfileCard. Wrap your app in a `BUIProvider` inside a React Router context — without it, Link, ButtonLink, Tabs, Menu, and Table lose client-side navigation. Also rename any CSS selectors using old `bui-HeaderPage` class patterns and camelCase data attributes. Audit custom components that implement the old `Checkbox` `selected`/`indeterminate` props and switch to `isSelected`/`isIndeterminate`.

  • breakingRemove all deprecated Bitbucket and legacy integration config immediately

    The old `bitbucket` config key and Azure DevOps `token`/`credential` fields are gone — not deprecated, gone. If your `app-config.yaml` still references these, your backend will fail to start after upgrading. Replace `bitbucket` with `bitbucketCloud` or `bitbucketServer`, migrate Azure DevOps to the `credentials` array, and update any Gerrit URL utility calls. Check scaffolder templates too, as `parseRepoUrl` no longer handles `bitbucket`.

  • enhancementAdd `@backstage/cli-defaults` as a devDependency now, not later

    The CLI module system is live, and the fallback to built-in commands already emits a deprecation warning. Add `@backstage/cli-defaults` to your root `devDependencies` today to silence the warning and future-proof your setup before the fallback is removed entirely. If you maintain custom CLI tooling, look at `createCliModule` in `@backstage/cli-node` to package it properly as a first-class CLI extension.

Key changes (7)
  • New Frontend System reaches 1.0 RC — new apps use it by default, `--next` flag replaced by `--legacy`
  • Multiple breaking UI changes in Backstage UI (BUI): Checkbox props renamed, CSS classes renamed, `BUIProvider` now required for routing, deprecated types removed
  • Entity cards (`EntityAboutCard`, `EntityLinksCard`, etc.) migrated from MUI to BUI with `variant` prop removed — `@backstage/plugin-catalog` receives a major version bump
  • Deprecated Bitbucket integration and legacy fields fully removed from `@backstage/integration`, `@backstage/backend-defaults`, and scaffolder packages
  • CLI refactored into modular `cli-module` packages — add `@backstage/cli-defaults` as a devDependency now to avoid future fallback removal warning
  • Predicate-based catalog filtering added to `queryEntities()`, `getEntitiesByRefs()`, and `getEntityFacets()` via new POST endpoints
  • Permission checks batched per tick for better performance on permission-heavy pages
Source

Kubescape

SecurityMar 17, 2026

Kubescape v4.0.3 is a small patch release adding a --grype-db-url flag for offline/airgapped Grype database usage, plus a bug fix for missing host errors and dependency bumps.

  • securitygo-git updated to v5.16.5 — pull this upgrade promptly

    go-git patch releases frequently address vulnerabilities in git protocol parsing. Review the go-git v5.16.5 changelog to confirm whether any CVEs are addressed, and prioritize this upgrade if your Kubescape usage involves scanning git repositories or if you embed Kubescape as a library.

  • breakingMissing host now returns an error — check your error handling

    Previously, a missing host in scan targets silently returned nil instead of an error. If your pipelines or scripts were treating a zero-exit-code as success in these cases, they may now surface failures they were previously ignoring. Test your scan workflows after upgrading to make sure error handling behaves as expected.

  • enhancementUse --grype-db-url for airgapped or private mirror setups

    If you run Kubescape in environments without direct internet access, the new --grype-db-url flag lets you point image scans at an internal Grype DB mirror. Set this in your CI pipelines or operator configs now rather than patching environment variables or workarounds you may have hacked together previously.

Key changes (5)
  • New --grype-db-url flag on 'kubescape scan' lets you override the default Grype vulnerability database URL
  • Fixed a bug where a missing host did not return a proper non-nil error, which could silently swallow scan failures
  • go-git bumped to v5.16.5 (likely security/bug fixes in git operations)
  • OpenTelemetry SDK bumped to 1.40.0
  • Added debug logging for scanInfo.ListingURL to aid troubleshooting Grype DB fetches
Source

Lima

Kubernetes CoreMar 17, 2026

Lima v2.1.0 adds experimental macOS and FreeBSD guest support, renames the guest home directory path, and consolidates disk files — a release with real migration considerations alongside useful new features.

  • breakingDisk file consolidation means no downgrade path

    Once an instance runs under Lima v2.1, its disk format is incompatible with v2.0 and v1.x. Snapshot or back up critical VM instances before upgrading. If you manage shared Lima environments or CI pipelines that pin Lima versions, ensure all consumers upgrade together — you can't roll back individual instances.

  • breakingHardcoded paths to `/home/${USER}.linux` will break

    The guest home directory is now `/home/${USER}.guest`. A symlink covers the old path, so most things will keep working. However, any scripts, dotfiles, or tooling that hardcodes the `.linux` suffix — particularly in non-symlink-aware contexts like bind mounts or container volume paths — should be audited and updated.

  • enhancementUse `limactl shell --sync` for AI agent workflows

    If you're running AI coding agents (e.g., Claude Code, Aider) inside Lima shells, `--sync` prevents the agent from accidentally modifying host files by syncing the working directory into the guest context. Adopt this flag in any automation or agent harness that launches `limactl shell` — it's a low-friction safety net.

  • enhancementk3s template now supports multi-node clusters

    The built-in `k3s` template can now spin up multi-node clusters, which makes local Kubernetes testing significantly more realistic. If you've been working around this limitation with custom configs or alternative tools like Rancher Desktop, it's worth re-evaluating the native template.

Key changes (6)
  • Experimental macOS and FreeBSD guest support via new templates (`template:macos`, `template:freebsd`)
  • Guest home directory renamed from `/home/${USER}.linux` to `/home/${USER}.guest`; old path symlinked for compatibility
  • `basedisk` + `diffdisk` consolidated into a single `disk` file — instances from v2.0/v1.x boot fine in v2.1, but not the reverse
  • New `limactl shell --sync` flag to isolate AI agent shell sessions from host filesystem
  • Host-to-guest time synchronization added in the hostagent; guestagent binary shrunk from 14MB to 6.1MB
  • QEMU is now the default hypervisor for non-native architectures
Source

KubeVirt

Orchestration & ManagementMar 16, 2026

KubeVirt v1.7.2 is a patch release fixing 7 bugs across networking, storage, monitoring, and backup — no new features, but several fixes that could unblock production issues.

  • breakingCheck VMI specs if you're running mixed NIC configurations

    The infinite status loop fix targets VMIs where the primary network interface appears after a secondary one in the spec. If you have VMs stuck in update churn or virt-controller/virt-handler showing abnormal CPU/log volume, this is likely the cause. Upgrade to v1.7.2 and verify your VMI specs list the primary interface first to avoid re-triggering the issue on older clusters.

  • enhancementWindows VM backup users should update for reliable Velero integration

    The QuiesceFailed-to-QuiesceTimeout change plus a 60s pre-backup hook timeout directly addresses flaky Windows VSS snapshot behavior during Velero backups. If you're backing up Windows VMs and seeing intermittent quiesce failures, this patch resolves it. Review your Velero backup policies to ensure the hook timeout aligns with your SLAs.

  • enhancementGoogle Cloud NetApp Volumes storage migration is unblocked

    If you're running VMs on GCP with NetApp Volumes and tried live storage migration, it was silently failing. This patch fixes that. Test your migration workflows after upgrading — especially if you deferred any storage moves because of this bug.

Key changes (7)
  • Fixed infinite VMI status update loop when primary NIC is listed after secondary interfaces in the VMI spec
  • Fixed PCI address stability across upgrades when using v3 hotplug port topology
  • Fixed storage migration failures with Google Cloud NetApp Volumes
  • Corrected kubevirt_allocatable_nodes metric to exclude non-schedulable nodes
  • Replaced QuiesceFailed with QuiesceTimeout for Windows VSS backups, adding a 60s Velero pre-backup hook timeout
  • Fixed low-replica alerts to use the deployment's defined replica count as the baseline
  • Fixed socket devices failing to update health status when Persistent Reservations is enabled
Source

KubeVirt

Orchestration & ManagementMar 16, 2026

KubeVirt v1.6.4 is a patch release with 108 changes targeting stability: a CVE fix in crypto, several hotplug/migration bugs squashed, and new vCPU queue alerting.

  • securityPatch CVE-2025-47913 — upgrade to v1.6.4 now

    CVE-2025-47913 affects the golang/x/crypto dependency. This release pins it to OpenShift's patched fork. If you're running any v1.6.x release before v1.6.4, you're exposed. Upgrade immediately — no workaround exists short of patching the binary yourself.

  • breakingCross-vendor live migrations are now blocked

    KubeVirt will now explicitly prevent live migrations between nodes with different CPU vendors (e.g., Intel to AMD). If your cluster has mixed CPU vendors and you've been relying on cross-vendor migration — intentionally or not — audit your node topology before upgrading. Migrations that previously succeeded may now fail with an error.

  • enhancementAdd vCPU queue alerts to your monitoring setup

    Two new alerts ship in this release: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical. If you're running KubeVirt with Prometheus, check that these alerts are picked up by your alerting rules. They give you early warning on guest CPU starvation, which is otherwise invisible until VMs start misbehaving under load.

Key changes (5)
  • CVE-2025-47913 remediated by redirecting golang/x/crypto to the patched openshift/golang-crypto module
  • PCI address stability fixed across upgrades when using v3 hotplug port topology
  • Block volume hotplug no longer breaks autoattachVSOCK
  • New Prometheus alerts: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical for guest CPU saturation visibility
  • Memory overcommit is now recalculated on live migration, and cross-vendor migrations are explicitly blocked
Source

Flux

CI/CD & App DeliveryMar 16, 2026

Flux v2.8.3 fixes a critical helm-controller regression that broke templating for charts containing YAML separators or embedded content.

  • breakingUpgrade immediately if using Helm charts with YAML separators

    The regression in v2.8.2 breaks templating for common chart patterns like multi-document YAML files and embedded scripts. Review your Helm deployments for failures and upgrade to v2.8.3 now. Follow the official upgrade procedure for Flux v2.7+ to avoid migration issues.

  • enhancementValidate Helm chart deployments after upgrade

    After upgrading, check that previously failing Helm releases now deploy successfully. Pay special attention to charts that embed certificates, scripts, or use multiple YAML documents. This fix restores functionality that may have silently failed in recent versions.

Key changes (4)
  • Fixed helm-controller templating errors when charts contain '---' separators
  • Resolved issues with embedded scripts and CA certificates in ConfigMaps
  • Added target branch name functionality to CLI update operations
  • Updated toolkit components for improved compatibility
Source

Argo

CI/CD & App DeliveryMar 16, 2026

Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

Key changes (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
Source

KServe

AI & MLMar 13, 2026

v0.17.0 delivers substantial LLM-focused improvements with the new LLMInferenceService beta, enhanced storage parallelization, vLLM 0.15.1 upgrade, and important CVE fixes affecting production deployments.

  • securityApply critical CVE patches immediately

    This release addresses several high-impact CVEs including path traversal (storage-initializer), HTTP parser vulnerabilities (h11, starlette), and cryptography subgroup attacks. Update to v0.17.0 promptly, especially if you're using storage-initializer or external model downloads. Review your current CVE scanning results against the patched versions.

  • breakingPlan LLMInferenceService migration path

    The new LLMInferenceService CRD introduces a dedicated API for LLM workloads with different semantics than standard InferenceService. If you're running LLM models, evaluate migrating to this new resource type for better autoscaling, routing, and operational features. The CRD includes breaking changes in API structure.

  • enhancementLeverage parallel storage downloads for faster deployments

    Storage-initializer now downloads blobs in parallel from S3 and Azure, dramatically reducing model loading times for large models. This is particularly beneficial for LLM workloads. No configuration changes needed - the improvement is automatic upon upgrade.

Key changes (5)
  • Introduced LLMInferenceService CRD with webhooks, autoscaling support, and comprehensive Gateway API integration
  • Added parallel blob downloads for S3 and Azure storage, significantly improving model loading performance
  • Upgraded vLLM runtime to 0.15.1 with enhanced startup probes and configuration flexibility
  • Fixed multiple CVEs including path traversal, HTTP parser vulnerabilities, and cryptography issues
  • Added OpenVINO model server runtime and predictive inference server for expanded model format support
Source

OpenFGA

SecurityMar 13, 2026

OpenFGA v1.12.0 improves operational reliability with automatic TLS certificate rotation, enhanced input validation, and critical race condition fixes.

  • securityUpgrade for Go stdlib vulnerability fixes

    This release addresses two Go standard library vulnerabilities (GO-2026-4603 and GO-2026-4601). Plan your upgrade to eliminate these security risks in production deployments.

  • enhancementConfigure gRPC message size limits

    Review your current message sizes and set appropriate limits using the new configuration option to prevent resource exhaustion attacks and improve system stability.

  • enhancementBenefit from automatic certificate rotation

    If you're using cert-manager or similar certificate rotation tools, this release eliminates connection failures during certificate updates. Test your certificate rotation process after upgrading to verify the improvement.

Key changes (5)
  • gRPC message size limits now configurable for better resource control
  • HTTP gateway automatically handles TLS certificate rotation without connection failures
  • Tuple validation rejects unicode control characters and null bytes for security
  • Race condition in check reducers fixed to prevent non-deterministic execution
  • Cache metrics corrected to prevent indefinite upward drift on overwrites
Source

Longhorn

Storage & DataMar 13, 2026

Longhorn v1.11.1 delivers critical bug fixes including a major memory leak in instance manager pods and backup failures with S3-compatible storage, making it an urgent upgrade for v1.11.0 users.

  • securityBackup restore functionality compromised

    S3-compatible backup targets (Storj, GCS) were failing due to AWS SDK v2 authorization issues. Test your backup and restore workflows after upgrading, especially if using non-AWS S3 endpoints. Verify large backup transfers complete successfully.

  • breakingUrgent upgrade required for v1.11.0 users

    Users running v1.11.0 experiencing high memory usage in instance manager pods must upgrade immediately. The memory leak can cause cluster instability and pod evictions. Plan upgrade maintenance window and monitor memory usage during rollout.

  • enhancementImproved scheduling with topology awareness

    New CSI topology-aware nodeAffinity controls provide better volume placement. Review your storage class configurations to leverage allowedTopologies and strictTopology settings for multi-zone deployments and specific node scheduling requirements.

Key changes (5)
  • Fixed critical memory leak in longhorn-instance-manager pods caused by proxy connection leaks
  • Resolved AWS SDK v2 compatibility issues causing backup failures to S3-compatible storage like Storj and GCS
  • Enhanced V2 Data Engine with improved fast replica rebuild and clone functionality
  • Added CSI topology-aware PV nodeAffinity control for better scheduling
  • Fixed storage double-counting that caused scheduling failures when multiple replicas exist on same node
Source

Strimzi

Networking & MessagingMar 12, 2026

Strimzi 0.45.2 is the final patch release for the 0.45.x branch, focusing on critical CVE fixes and Kafka 3.9.2 support while serving as the last version supporting ZooKeeper-based clusters.

  • securityApply patch immediately for CVE fixes

    This release addresses multiple high-priority CVEs in ZooKeeper, JWT libraries, and networking components. Upgrade to 0.45.2 immediately to patch these vulnerabilities, especially if you handle sensitive data or run internet-facing services.

  • breakingMigrate to KRaft before upgrading beyond 0.45.x

    This is your last chance to run ZooKeeper-based Kafka clusters in Strimzi. Plan your KRaft migration now since Strimzi 0.46+ will only support KRaft mode. Follow the official KRaft migration guide and test thoroughly in non-production first.

  • breakingHandle Kafka 3.9.2 annotation issue for future upgrades

    If you're using Kafka 3.9.2, upgrading to Strimzi 0.46-0.51 will require manually updating pod annotations. Save the provided kubectl command for when you upgrade: it updates the Kafka version annotation on pods to prevent operator failures.

Key changes (5)
  • Final patch release for 0.45.x branch - no further patches will be released
  • Added support for Apache Kafka 3.9.2 with container image updates
  • Multiple CVE fixes including ZooKeeper CVE-2024-47554, Nimbus Jose JWT CVE-2025-53864, and GRPC Netty Shaded CVE-2025-55163
  • Last Strimzi version to support ZooKeeper-based Kafka clusters and MirrorMaker 1
  • Upgraded dependency versions: Vert.x 4.5.24, Netty 4.1.130.Final, Apache Log4J 2.25.3, Cruise Control 2.5.146
Source

Flux

CI/CD & App DeliveryMar 12, 2026

Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.

  • securityApply CVE-2026-27138 patch immediately

    This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.

  • enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability

    If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.

  • enhancementVerify Azure Container Registry authentication after upgrade

    The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.

Key changes (5)
  • Fixed unnecessary reconciliation requests when source objects are already processing the current revision
  • Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
  • Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
  • Corrected Azure Container Registry authentication scope for proper access
  • Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
Source

Linkerd

Networking & MessagingMar 12, 2026

Linkerd edge-26.3.2 delivers routine dependency updates across Rust, Go, and Node.js components, plus a metrics improvement that prevents scraping from failed pods and completed jobs.

  • enhancementMonitor metrics collection improvements

    The update excludes failed pods and completed jobs from proxy metrics scraping, reducing noise in your monitoring data. Review your current metrics dashboards to see if you notice cleaner data patterns after upgrading, and consider adjusting any alerting thresholds that may have been accounting for this noise.

  • enhancementTest edge release in non-production first

    This edge release bundles many dependency updates at once. Deploy to staging environments first to validate that the combined changes don't introduce unexpected behavior in your specific workload patterns before rolling to production clusters.

Key changes (4)
  • Updated proxy to v2.342.0 with latest improvements
  • Comprehensive dependency updates across Rust (pin-project-lite, ryu, anyhow), Go (gRPC, klog), and JavaScript (webpack, babel-loader) components
  • Enhanced metrics collection by excluding failed pods and completed jobs from proxy scraping
  • Upgraded Docker build actions to v4.0.0 and v7.0.0 for improved CI/CD workflows
Source

Helm

Kubernetes CoreMar 12, 2026

Helm v3.20.1 fixes two critical bugs affecting chart value handling and OCI registry operations that could cause deployment failures.

  • enhancementUpgrade immediately for value handling fixes

    This patch resolves two bugs that could break chart deployments. The nil value preservation fix prevents unexpected behavior when overriding chart defaults, while the OCI tag+digest fix enables proper chart pulling from registries using both identifiers. Test your existing charts after upgrading to ensure value overrides work as expected.

  • enhancementVerify OCI chart references work properly

    If you use OCI registries with tag+digest references (like `registry/chart:v1.0@sha256:abc123`), this release fixes previous 'invalid byte' errors. Update your CI/CD pipelines to use this version before relying on tag+digest combinations for chart immutability.

Key changes (4)
  • Fixed nil value preservation bug when charts have empty maps or no defaults for keys
  • Resolved OCI reference failures with tag+digest causing 'invalid byte' errors
  • Updated Kubernetes dependencies to latest versions
  • Added support for pulling charts from OCI indices
Source

Helm

Kubernetes CoreMar 11, 2026

Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

Key changes (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
Source

Dragonfly

Storage & DataMar 11, 2026

Dragonfly v2.4.3 is a pure maintenance release focusing on dependency updates and security patches, with no functional changes for users.

  • securityApply routine security updates

    This patch release includes dependency updates that may contain security fixes. Update your Dragonfly deployments to v2.4.3 during your next maintenance window. The upgrade should be seamless with no breaking changes or configuration updates required.

  • enhancementImproved observability with OpenTelemetry updates

    The OpenTelemetry library updates from v0.63.0 to v0.67.0 provide better tracing capabilities. If you're using distributed tracing with Dragonfly, you may see improved trace collection and reduced overhead after upgrading.

Key changes (5)
  • Updated OpenTelemetry libraries from v0.63.0 to v0.67.0 for improved observability
  • Upgraded Docker actions to v4.0.0 for GitHub CI/CD workflows
  • Bumped Golang system dependencies including oauth2 and sys packages
  • Updated d7y.io/api to v2.2.24 for latest API compatibility
  • Refreshed GitHub Actions dependencies for stale issue management
Source

KubeEdge

Provisioning & RuntimeMar 11, 2026

KubeEdge v1.23 ships a major edge DB refactor (Beego → GORM), node query optimization to cut edge-cloud bandwidth, device anomaly detection in CRDs, and solid Windows EdgeCore improvements.

  • breakingUpdate all Device status reads to use the new DeviceStatus CRD

    Device status has been extracted from the Device CRD into a standalone DeviceStatus CRD. The release says backward compatibility is maintained for the CRD schema itself, but any code, scripts, or automation that reads device status directly from the Device object will silently miss updates after the upgrade. Audit your operators, dashboards, and GitOps pipelines before upgrading — reroute status reads to the new DeviceStatus CRD.

  • enhancementValidate edge DB behavior after the Beego-to-GORM migration

    The entire edge database layer has been rewritten. GORM replaces Beego ORM and all DB operations are now funneled through a single MetaManager entry point. This is a lower-risk change but still a deep internal refactor. Run your existing edge workloads against a staging environment on v1.23 before rolling to production — watch for any edge cases in MetaManager behavior, especially around reconnect and offline-mode scenarios.

  • enhancementTake advantage of local node query optimization for large deployments

    If you're running dozens or hundreds of edge nodes, the shift from remote CloudCore node queries to local edge DB lookups should noticeably reduce your edge-cloud tunnel bandwidth. No configuration change is required — CloudCore automatically syncs node updates to the edge DB. Still worth monitoring your edge-cloud channel metrics post-upgrade to confirm the improvement in your specific topology.

Key changes (6)
  • Edge DB refactored from Beego ORM to GORM with a unified MetaManager entry point — lighter binary, cleaner code path
  • Node queries now served from local edge DB instead of remote CloudCore calls, reducing edge-cloud channel pressure at scale
  • Device anomaly detection is now configurable in Device CRD pushMethod and pluggable at the mapper level
  • Device CRD status split into a separate DeviceStatus CRD — existing consumers must update their queries
  • Windows EdgeCore improvements: named pipe DMI, version-aware keadm upgrade, and log file redirection for service mode
  • Vendored Kubernetes bumped to v1.32.10
Source

Envoy

Networking & MessagingMar 11, 2026

Envoy v1.37.1 is a critical security patch addressing five CVEs including crash vulnerabilities and RBAC bypasses. Teams running production Envoy should prioritize immediate updates.

  • securityApply critical CVE fixes immediately

    Five CVEs fixed including crash conditions in rate limiting and IPv6 handling, plus an RBAC bypass. Test your deployment in staging first, then schedule emergency maintenance to update production clusters within 24-48 hours.

  • enhancementReview OAuth2 and ext_authz configurations

    If you use OAuth2 refresh tokens, verify host header behavior works correctly after the fix. For ext_authz users, check that error handling now properly respects your status_on_error settings and denied response headers reach clients as expected.

  • enhancementValidate ext_proc filter chains

    Multiple ext_proc filters in a chain now work correctly. If you previously avoided chaining due to bugs, test this functionality in your development environment to simplify complex processing pipelines.

Key changes (5)
  • Fixed five security vulnerabilities including rate limit crash, multivalue header RBAC bypass, and IPv6 address crash
  • Resolved OAuth2 host header rewriting issue affecting refresh token requests
  • Enhanced ext_proc filter to support multiple filters in chain configuration
  • Improved ext_authz error handling for 5xx responses and proper header propagation
  • Introduced extended ABI forward compatibility for dynamic modules
Source

Envoy

Networking & MessagingMar 11, 2026

Envoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.

  • securityUpgrade immediately for critical crash fixes

    Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.

  • securityReview RBAC policies for multivalue header bypass

    CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.

  • enhancementTest OAuth2 workflows after host rewriting fix

    The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.

Key changes (5)
  • Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
  • OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
  • Migration from internal googleurl to open source Google GURL library
  • Kafka test binary updated to version 3.9.2
  • Docker base image security updates
Source

Envoy

Networking & MessagingMar 10, 2026

Envoy v1.35.9 delivers critical security patches for four CVEs affecting RBAC, IPv6 handling, JSON processing, and HTTP decoding, plus OAuth2 host rewriting fixes.

  • securityUpgrade immediately for critical security fixes

    Four CVEs fixed in this release could lead to authentication bypass, crashes, and memory corruption. Schedule immediate deployment especially if using RBAC policies, IPv6 networking, JSON processing, or experiencing downstream connection resets. Test thoroughly in staging first as security fixes can affect request handling behavior.

  • enhancementValidate OAuth2 host rewriting behavior

    OAuth2 refresh requests now correctly preserve original Host headers instead of being overridden. If your setup relies on custom host rewriting for OAuth2 flows, verify that authentication still works as expected after upgrading. This change improves compliance with OAuth2 specifications.

Key changes (5)
  • Four CVE fixes addressing RBAC multivalue header bypass, IPv6 crash, JSON corruption, and HTTP decode blocking issues
  • OAuth2 refresh requests now preserve original Host header values during host rewriting
  • Migration from internal googleurl to open GitHub repository (google/gurl)
  • Kafka test binary updated to version 3.9.2
  • Docker base images refreshed to latest versions
Source

containerd

Kubernetes CoreMar 10, 2026

containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

Key changes (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
Source

Envoy

Networking & MessagingMar 10, 2026

Critical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.

  • securityUpgrade immediately for RBAC bypass fix

    CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.

  • securityPatch IPv6 crash vulnerability in production

    CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.

  • securityAddress JSON processing memory corruption

    CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.

Key changes (5)
  • Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
  • Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
  • Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
  • Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
  • Corrected OAuth2 refresh request host rewriting behavior
Source
← NewerOlder →
Browse by month