RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Litmus

ObservabilityTodayJul 15, 2026

Litmus 3.31.0 is a routine bugfix release addressing memory leaks in GraphQL subscriptions, probe initialization and validation issues, user handler correctness, and infrastructure resolver safety. Documentation updates include Node experiment Tunables and otel-demo OpenSearch integration; test coverage has been expanded.

Key changes (10)
  • Probe comparator type reference now initialized correctly from loaded probe data
  • GraphQL subscription resolvers fixed to prevent memory leaks and deadlocks under load
  • FileHandler now properly stopped after error responses
  • bcrypt failures in CreateUser handler now return errors instead of proceeding silently
  • GetInfraDetails resolver now enforces ValidateRole error checks and guards against empty ExperimentDetails slice panics
  • UI state synchronization for queued experiments fixed via GraphQL
  • Probe uniqueness check added to prevent duplicates
  • Username validation checks fixed
  • Makefile paths corrected for event-tracker and subscriber build targets
  • Test coverage expanded with fuzz and unit tests for ChaosHub GitOps, subscriber labels, image registry, and MongoDB operator logic
Source

Envoy

Networking & MessagingYesterdayJul 14, 2026

Envoy v1.39.0 is a major release combining several breaking behavior changes (mandatory keyUsage enforcement, disabled DLB balancer, stricter TLS inspector validation, changed OTel sampling behavior) with a large batch of roughly 20 medium-severity CVE fixes spanning HTTP/2, HTTP/3, ext_authz, ext_proc, OAuth2, DNS, and several other subsystems. It also ships extensive non-actionable feature and performance work, including dynamic-modules extension points and a new streaming JSON parser for AI protocols.

  • securityBroad CVE batch fixed across core protocol and extension code

    This release fixes roughly 20 CVEs across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression, all rated medium by the notes. Notable ones include HTTP/2 cookie-based header-limit bypass (CVE-2026-47774), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and Zstd decompression memory exhaustion (CVE-2026-48044). The fixes ship in v1.39.0.

  • securityOAuth2 cookie encryption moves to AES-256-GCM (opt-in migration)

    OAuth2 adds AES-256-GCM cookie encryption to address CVE-2026-47775, replacing the older CBC-based scheme. Migration is opt-in: enable oauth2_use_gcm_encryption, monitor the oauth_legacy_cbc_decrypt metric, then disable oauth2_legacy_cbc_decrypt_compat once legacy decryption is no longer observed.

  • breakingCertificate keyUsage enforcement is now mandatory

    Envoy now always enforces the certificate keyUsage extension; the enforce_rsa_key_usage field is deprecated and ignored. This applies unconditionally starting in v1.39.0, so certificates that previously relied on lax enforcement may now fail validation.

  • breakingDLB connection balancer disabled in all builds

    The Intel DLB connection balancer (envoy.network.connection_balance.dlb) is disabled in all builds because of a broken source archive. This applies wherever that extension is configured.

  • breakingTLS inspector now rejects out-of-range client TLS versions

    The TLS inspector now validates that client TLS versions fall between 1.0 and 1.3, rejecting anything outside that range. The check is unconditional in v1.39.0 but can be reverted with envoy.reloadable_features.tls_inspector_enforce_client_tls_version.

  • breakingOTel tracing now defers to Envoy's own sampling decision

    The OpenTelemetry tracer now honors Envoy's own request-entry sampling decision, including overall_sampling, even when a propagated trace context or configured sampler requests sampling. This applies to deployments relying on downstream or context-based sampling overriding Envoy's local config, and may reduce the volume of exported spans.

Key changes (8)
  • Roughly 20 medium-severity CVE fixes across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression; notable ones include CVE-2026-47774 (HTTP/2 cookie header-limit bypass), GHSA-p7c7-7c47-pwch (HTTP/3 QPACK DoS), and CVE-2026-48044 (Zstd memory exhaustion)
  • OAuth2 gains AES-256-GCM cookie encryption (CVE-2026-47775) with an opt-in, staged migration path off legacy CBC decryption
  • Certificate keyUsage enforcement is now mandatory (enforce_rsa_key_usage deprecated); TLS inspector now rejects client TLS versions outside 1.0-1.3
  • Intel DLB connection balancer extension disabled in all builds due to a broken source archive
  • OpenTelemetry tracer now defers to Envoy's own sampling decision (including overall_sampling), which may reduce exported spans
  • Unified DNS cluster implementation is now the default, enabling shared c-ares resolvers and qcache across clusters
  • HeaderMatcher now matches separately supplied header values individually rather than only their comma-joined form (revertible via feature gate)
  • Large non-actionable batch: dynamic-modules extension points and Rust SDK, new Wuffs-based streaming JSON parser for MCP/A2A/OpenAI/Anthropic, new bandwidth-sharing and sub-filter-chain HTTP filters, CNSA/post-quantum TLS policies, io_uring and SO_REUSEPORT BPF performance work, plus numerous bugfixes (connection-pool re-entrancy, DNS resolver leaks, Golang filter re-entry)
Source

Backstage

CI/CD & App DeliveryYesterdayJul 14, 2026

Backstage v1.53.0 is a feature release with seven breaking changes across auth, CLI, and API layers. The SSE MCP transport, proxy agent bootstrap, and OpenAPI testing CLI commands are removed; OAuth redirect validation is tightened to reject wildcards crossing host-path boundaries and embedded credentials; config-loader enforces strict type checking; and EntityContextMenuItemBlueprint changes output structure. Optic is replaced by oasdiff for OpenAPI tooling. Numerous bugfixes address TechDocs, Scaffolder, and catalog issues; new features include breadcrumbs framework, user settings storage, and extended auth/database options. No security fixes are included.

  • breakingSSE MCP transport removed

    The Server-Sent Events (SSE) transport for MCP actions has been removed from @backstage/plugin-mcp-actions-backend. If your deployment uses the SSE transport, switch to the Streamable HTTP endpoint or update your MCP configuration.

  • breakingStricter config-loader type validation

    Config-loader now validates imported types in TypeScript configuration schemas instead of treating them as unconstrained. Invalid imports will cause schema loading to fail. Review your configuration schemas for unresolved or missing type imports.

  • breakingTighter OAuth redirect URI and CIMD allowlist matching

    Wildcard patterns in OAuth redirect URIs are now constrained: patterns must include an explicit protocol, wildcards no longer match across host and path boundaries, and embedded credentials are always rejected. Patterns like http://localhost:* now match only the root path; use http://localhost:*/* to allow any path. Update your auth configuration to match this stricter syntax.

  • breakingEntityContextMenuItemBlueprint output type change

    The EntityContextMenuItemBlueprint API now outputs menu item data instead of a rendered MUI element; the icon type is now IconElement. Update any code that depends on the catalog entity context menu to use the new data structure.

  • breakingLegacy proxy agent bootstrap removed

    The bootstrapEnvProxyAgents export has been removed from @backstage/cli-common, along with global-agent and undici dependencies. If you rely on this export, use Node's native NODE_USE_ENV_PROXY environment variable instead.

  • breakingOpenAPI CLI commands and wrapInOpenApiTestServer removed

    The package schema openapi init and repo schema openapi test CLI commands have been removed. Runtime OpenAPI validation is still available via wrapServer from @backstage/backend-openapi-utils/testUtils. The wrapInOpenApiTestServer function has also been removed; use wrapServer instead.

  • breakingOpenAPI tooling switched from Optic to oasdiff

    Optic (@useoptic/optic and @useoptic/openapi-utilities) has been replaced with oasdiff in @backstage/repo-tools for OpenAPI breaking change detection. Update any tooling or CI/CD pipelines that reference Optic.

Key changes (10)
  • SSE MCP transport removed from @backstage/plugin-mcp-actions-backend; use Streamable HTTP endpoint
  • Config-loader now enforces strict type validation; invalid imports cause schema load failure
  • OAuth redirect URI validation tightened: explicit protocol required, credentials rejected, wildcards constrained (http://localhost:* matches root only; use http://localhost:*/* for any path)
  • EntityContextMenuItemBlueprint changed to output data instead of MUI elements (icon is now IconElement)
  • bootstrapEnvProxyAgents removed from @backstage/cli-common; use NODE_USE_ENV_PROXY instead
  • OpenAPI CLI commands (package schema openapi init, repo schema openapi test) and wrapInOpenApiTestServer removed; use wrapServer
  • Optic replaced with oasdiff for OpenAPI breaking change detection in @backstage/repo-tools
  • Catalog entity page migration to BUI and entity header extension deprecation in progress
  • Fixes for TechDocs metadata loop, DatabaseTaskStore string cast, Bitbucket pickers, catalog export crashes, EntityTypePicker regression, scheduled task registration, React key warnings, Kubernetes schema inclusion, yeoman-environment v4 compatibility, and TechDocs blank page rendering
  • Enhancements: breadcrumbs framework, TextAreaField UI component, react-aria-components re-export, user settings plugin, multi-config BACKSTAGE_ENV stacking, Azure DevOps webhooks, CIMD token revocation, Redis connection options, S3 PrivateLink, Auth0 prompt parameters, embedded postgres flags, extension predicate action attributes
Source

Flux

CI/CD & App DeliveryJul 13, 2026

Flux v2.9.2 is a routine patch that resolves a v2.9.1 regression breaking Kustomization reconciliation with URL-based OpenAPI schema paths, corrects several CRD field descriptions, and updates dependencies.

Key changes (4)
  • Fixes Kustomization reconciliation regression in v2.9.1 when openapi.path points to a URL
  • Corrects HelmChart CRD description (.status.url) and ImageRepository CRD description (.status.observedExclusionList)
  • Fixes ImageUpdateAutomation CRD description (.status.observedSourceRevision) removing leaked Go struct declaration
  • Updates fluxcd/pkg dependencies and toolkit components
Source

Dapr

Orchestration & ManagementJul 10, 2026

Dapr v1.16.17 is a bugfix patch that relaxes overly strict character validation in the Scheduler service for actor reminders and jobs. Reminder names, job names, and actor IDs may now contain characters like `|` and `@`, aligning Scheduler validation with the rest of Dapr's API. No breaking changes or security fixes.

Key changes (3)
  • Scheduler now accepts a broader range of characters in reminder names, job names, and actor IDs (any except `/`, `\`, `#`, `?`, control characters, `.`, and `..`), fixing registration failures for names containing `|`, `@`, and similar characters
  • Validation error messages corrected to accurately describe disallowed characters instead of incorrectly claiming only lowercase was permitted
  • Fixed reminder listing for actors whose IDs contain `||`
Source

Kyverno

SecurityJul 10, 2026

Kyverno v1.18.2 is a patch release fixing a HIGH security issue (GHSA-79gf-7frw-68m9) where generator policies could bypass namespace boundaries, plus backported security dependency updates, watcher restart fixes, and several CLI and policy improvements.

  • securityPatch namespace boundary bypass in generator policies

    Generator policies could bypass namespace boundaries when applying rules, allowing cross-namespace policy enforcement. Upgrade to v1.18.2 to restore proper isolation.

  • securityApply security dependency updates

    Security dependency updates have been backported to address known vulnerabilities in transitive dependencies.

Key changes (7)
  • HIGH: Namespace boundary enforcement in generator policies patched (GHSA-79gf-7frw-68m9)
  • Security dependency updates backported
  • Background reporting now restarts dynamic watchers correctly on 410 Gone responses
  • Required validation policies no longer abort on image mismatches
  • CLI now accepts multiple CRDs in a single --crd-path file
  • pss-helm policy chart adds 'image' to allowed volume types
  • Report label prefixes corrected for multi/delegated policies
Source

CoreDNS

Kubernetes CoreJul 10, 2026

CoreDNS v1.14.5 is a maintenance release improving DoH/DoH3 transport safety and forward plugin robustness with per-upstream read timeout configuration. Three behavior changes affect TLS defaults, DoQ timeout handling, and forward plugin configuration; no CVE fixes.

  • breakingTLS defaults switch to Go standard library

    CoreDNS v1.14.5 now uses Go's standard TLS defaults instead of custom configuration. Review and test any TLS-dependent setups, particularly for DoH/DoH3 transport, to ensure compliance with your security requirements.

  • breakingDoQ stream reads now bounded by server timeout

    DNS over QUIC (DoQ) stream reads are now bounded by the server read timeout. Check if your DoQ deployments have appropriate read timeout values configured; streams that previously hung indefinitely will now time out.

  • enhancementPer-upstream read timeout now configurable

    The forward plugin now accepts per-upstream read timeout configuration. If you have asymmetric upstream latency or need fine-grained control per resolver, you can now configure this; existing setups continue to use the server-level read timeout.

Key changes (7)
  • TLS now uses Go defaults instead of custom config
  • DoQ stream reads bounded by server read timeout; configure appropriately
  • Forward plugin: per-upstream read timeout configuration added
  • Forward plugin now supports DoH; dnstap FORWARDER_* events reflect upstream socket details
  • Forward plugin restored ability to continue when config file is empty
  • Transfer targets can include scoped IPv6 addresses; dnstap and NXDOMAIN classification improvements
  • Plugin fixes: dnstap connection reuse and listener deadlock, file SOA/wildcard handling, rewrite nil-pointer panic and question restoration, secondary catalog parsing, hosts data race and wildcard support, kubernetes AXFR panic, erratic truncate default, plus ~6 smaller robustness fixes
Source

containerd

Kubernetes CoreJul 10, 2026

containerd v2.3.3 is a routine patch release addressing bugs in CRI sandbox handling, NRI pod teardown, registry error reporting, and EROFS block size alignment.

Key changes (7)
  • NRI nil pointer dereference during pod sandbox teardown or container exit fixed
  • CRI now rejects CreateContainer calls against non-running sandboxes
  • RunPodSandbox ensures sandbox shutdown on hook failures to prevent mount leaks
  • Registry client surfaces OCI error details in 403 responses via GET fallback
  • EROFS snapshotter aligns 4K mkfs block size consistently across all platforms
  • SystemTemp environment variable set on Windows for correct temp directory override handling
  • Go updated to 1.26.5; runhcs to v0.15.0-rc.3
Source

containerd

Kubernetes CoreJul 9, 2026

containerd v2.2.6 is a routine patch addressing CRI sandbox lifecycle bugs (nil pointer dereference, invalid container creation, hook failure cleanup) and an image distribution fix to prevent content store pollution. No breaking changes or operator action required.

Key changes (5)
  • Fixed nil pointer dereference in NRI GetIPs during pod sandbox teardown
  • CreateContainer now rejected when sandbox is not running
  • RunPodSandbox ensures proper cleanup on hook failures, preventing mount leaks
  • Limited /blobs fallback during image resolution to reduce content store pollution
  • Go toolchain updated to 1.26.5 / 1.25.12
Source

containerd

Kubernetes CoreJul 9, 2026

containerd v2.0.11 is a routine patch fixing a content-store pollution issue that could occur during image reference resolution by restricting fallback to the /blobs endpoint. Go toolchain has been bumped to 1.26.5 and 1.25.12.

Key changes (2)
  • Content-store pollution mitigation: limits /blobs endpoint fallback during image ref resolution
  • Go toolchain updated to 1.26.5 and 1.25.12
Source

containerd

Kubernetes CoreJul 9, 2026

containerd v1.7.34 is a routine patch release fixing a CRI bug where container exit events could be lost if they arrived before the container info was cached, with Go toolchain and golang.org/x/* dependency updates.

Key changes (3)
  • CRI bug fix: container exit events no longer lost when arriving before container info is cached
  • Go toolchain updated to 1.26.5 and 1.25.12
  • golang.org/x/* dependencies updated: crypto (v0.45.0→v0.52.0), mod (v0.29.0→v0.35.0), net (v0.47.0→v0.55.0), sync (v0.18.0→v0.20.0), sys (v0.38.0→v0.45.0), term (v0.37.0→v0.43.0), text (v0.31.0→v0.37.0)
Source

Helm

Kubernetes CoreJul 9, 2026

Helm v3.21.3 is a routine patch that removes the containerd v1 dependency to address CVEs identified by govulncheck, and incorporates code review feedback.

Key changes (2)
  • Dropped containerd v1 dependency to resolve govulncheck-flagged CVEs
  • Applied code review suggestions from prior pull request
Source

Helm

Kubernetes CoreJul 9, 2026

Helm v4.2.3 was released with insufficient source material; the release notes contain only placeholder links and no documented changes. Review the repository directly for any updates.

Source

SPIRE

SecurityJul 9, 2026

SPIRE v1.15.2 is a mixed release addressing security concerns through docker/docker to moby/moby migration (resolving CVEs) and a HIGH-severity delegated identity API restriction preventing JWT-SVID exposure for admin or downstream entries. The release also introduces the SPIFFE Broker, per-caller rate limiting, TLS metrics endpoint support, and numerous performance and compatibility improvements across multiple attestors and plugins.

  • securityResolve docker/docker CVEs via moby/moby migration

    docker/docker dependencies have been migrated to moby/moby equivalents to resolve Docker/Moby CVEs. Upgrade to v1.15.2.

  • breakingDelegated API no longer serves JWT-SVIDs for admin/downstream entries

    The delegated identity API no longer serves JWT-SVIDs for admin or downstream entries. If you use the delegated identity API with admin or downstream entries, verify that clients no longer depend on JWT-SVID tokens from those entry types.

Key changes (7)
  • Security: docker/docker migrated to moby/moby to resolve CVEs
  • Security: Delegated identity API restricted—no longer serves JWT-SVIDs for admin or downstream entries
  • Enhancement: Per-caller rate limiting for agent Workload API and Envoy SDS
  • Enhancement: TLS support for Prometheus metrics endpoint with optional SPIFFE ID allowlist
  • Enhancement: SPIFFE Broker endpoint and API introduced
  • Performance: Attested nodes now fetched in bulk; optimized MySQL list entries query for reduced database load
  • Plus 16 additional features, fixes, and improvements: post-quantum cryptography curves, aws_kms tag-based discovery, azure_imds fixes, CA journal durability, structured logging, Windows SE_DEBUG_PRIVILEGE support, and more
Source

Argo

CI/CD & App DeliveryJul 9, 2026

Argo CD v3.4.5 is a routine patch addressing seven bug fixes across reposerver manifest generation, SSA auth handling, sync behavior, UI display, and Dex configuration, plus dependency updates. No breaking or security changes.

Key changes (7)
  • Reposerver now honors source repository depth instead of primary source when generating manifests
  • Server-Side Apply (SSA) auth reconcile disabled to prevent incorrect reconciliation
  • Fixed auto-sync skip when newer commits arrived during manifest-generate-paths sync
  • Deleted resources no longer incorrectly displayed as present in the UI
  • Replace sync option no longer clobbers non-ignored fields
  • Dex config environment variable substitution regression fixed
  • golang.org/x/crypto bumped to 0.53.0; Ubuntu base image updated to 26.04 LTS
Source

Flatcar Container Linux

Provisioning & RuntimeJul 9, 2026

Flatcar stable-4593.2.4 is a security-only release: the Linux kernel moves to 6.12.95, closing a large batch of CVEs (critical severity), alongside a routine ca-certificates bump to 3.125. There are no other bug fixes or behavioral changes in this build.

  • securityUpdate to kernel 6.12.95 to close a large batch of CVEs

    Flatcar stable-4593.2.4 bundles fixes for well over 130 Linux kernel CVEs (including CVE-2026-46242, CVE-2026-53332, CVE-2026-53331, CVE-2026-53356, CVE-2026-53329 among many others) by updating the kernel to 6.12.95. Rated critical; upgrade promptly across fleets since it touches the base OS kernel on every node.

Key changes (3)
  • Kernel updated to 6.12.95 (incl. 6.12.94), fixing well over 130 CVEs rated critical, including CVE-2026-46242, CVE-2026-53332, CVE-2026-53331, CVE-2026-53356 and CVE-2026-53329
  • ca-certificates package updated to version 3.125 (routine trust-store refresh)
  • No reported bug fixes or behavioral changes outside the kernel security update
Source

Flatcar Container Linux

Provisioning & RuntimeJul 9, 2026

Flatcar Container Linux lts-4081.3.9 is a security-focused patch delivering a large kernel CVE fix set via Linux 6.6.144, alongside a ca-certificates update. No breaking changes or removals.

  • securityPatch 144 kernel CVEs via Linux 6.6.144

    Flatcar Container Linux lts-4081.3.9 bundles 144 Linux kernel CVEs fixed via upgrade to kernel 6.6.144 (which also incorporates 6.6.143 and 6.6.142). The highest-severity issues in this set include multiple vulnerabilities affecting core kernel subsystems; a sample of notable CVEs: CVE-2026-46242, CVE-2026-53357, CVE-2026-52941. Upgrade to patch your running systems.

Key changes (2)
  • 144 Linux kernel CVEs (HIGH severity, max) addressed in kernel 6.6.144 update
  • ca-certificates bumped to version 3.125
Source

TiKV

Storage & DataJul 9, 2026

TiKV/TiDB v8.5.7 is a mixed release combining several default/behavior changes operators must review (stricter max_ts and NOT NULL validation, auto IndexMerge, TiDB Lightning web UI removal, resource-control metric relabeling) with a security-relevant dependency upgrade and a broad set of new features, performance work, and bug fixes.

  • securityVulnerable TiKV third-party dependencies patched

    This release upgrades vulnerable third-party dependencies used by TiKV 8.5 and aligns required compatibility fixes with upstream, improving stability and security. Upgrade to pick up the patched dependencies.

  • breakingmax_ts invalid-update handling now errors by default

    TiKV now rejects max_ts updates confirmed invalid instead of only logging them. If you rely on the previous log-only behavior, set storage.max-ts.action-on-invalid-update to log before upgrading.

  • breakingFix control 52869 (auto IndexMerge) enabled by default

    TiDB now enables optimizer fix control 52869 by default, letting the optimizer consider IndexMerge automatically when alternative indexes exist. This can change query plans in some cases; review plans for sensitive queries after upgrade.

  • breakingStrict NOT NULL validation on INSERT enabled by default

    tidb_enable_strict_not_null_check now defaults to ON, enforcing strict validation when an INSERT explicitly writes NULL into a NOT NULL column. Statements that previously succeeded may now fail; audit INSERT paths that rely on lenient NULL handling.

  • breakingResource-control background metrics lose resource_group label

    TiKV background resource-control metrics are now aggregated globally via a single rate limiter, dropping the per resource_group label. Update dashboards and alerting rules that filter or group by resource_group for background metrics.

  • breakingTiDB Lightning web interface removed

    TiDB Lightning drops its web interface starting in v8.5.7. Switch to the command-line tools tidb-lightning for import tasks and tidb-lightning-ctl for checkpoint and troubleshooting operations.

Key changes (8)
  • TiKV rejects invalid max_ts updates by default instead of just logging them (revert via storage.max-ts.action-on-invalid-update=log)
  • Optimizer fix control 52869 (auto IndexMerge) is now enabled by default and can shift query plans
  • tidb_enable_strict_not_null_check now defaults to ON, causing stricter INSERT NULL validation
  • TiKV background resource-control metrics are now aggregated without the resource_group label; dashboards/alerts need updating
  • TiDB Lightning web interface removed; use tidb-lightning / tidb-lightning-ctl CLI tools instead
  • Vulnerable third-party dependencies patched across TiKV 8.5 for stability and security
  • New features: CPU-aware hot Region read scheduling in PD/TiKV, partial index support, per-user connection limits, TiCDC table routing
  • Plus various performance work (fail-fast on disk I/O hangs, fairer read-pool scheduling) and bug fixes across TiKV memory usage, PD resource control, BR log backup, and TiCDC stability
Source

cert-manager

SecurityJul 8, 2026

cert-manager v1.21.0 is a mixed release: it ships a security-hardening RBAC restriction (GHSA-8rvj-mm4h-c258) plus two other breaking Helm/RBAC changes, alongside new ARI, Vault AWS-IAM, and Gateway API capabilities and several bug fixes. Operators should review Helm values and RBAC assumptions before upgrading.

  • securityReview cert-manager-edit permissions after Challenge/Order create rights removed

    cert-manager-edit no longer grants create on Challenge resources or create/patch/update on Order resources, closing a path where a user with edit access could tamper with ACME validation flow. Fixed upstream in v1.20.3 and carried into v1.21.0; upgrade if your tooling or users create Challenge/Order resources directly, since those workflows will need the cert-manager-approve or a custom role instead.

  • breakingDefault tokenrequest RBAC for the controller ServiceAccount removed

    The Helm chart no longer creates the default Role/RoleBinding granting serviceaccounts/token: create to the controller's own ServiceAccount. This only affects clusters relying on the undocumented pattern of serviceAccountRef.name pointing at the controller's ServiceAccount; those setups need an explicit RBAC grant added post-upgrade.

  • breakingRemove deprecated Prometheus Helm values before upgrading

    prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path are gone from the Helm values schema (the ServiceMonitor port was also renamed from tcp-prometheus-servicemonitor to http-metrics). Any values override still setting these keys will fail Helm's schema validation on upgrade; scrub them from your values files first.

Key changes (8)
  • Security: cert-manager-edit ClusterRole restricted, removing Challenge/Order create-patch-update rights (GHSA-8rvj-mm4h-c258, fixed since v1.20.3)
  • Breaking: default RBAC for controller ServiceAccount tokenrequest creation removed from the Helm chart
  • Breaking: legacy Prometheus Helm values (servicemonitor.targetPort/path, podmonitor.path) removed; ServiceMonitor port renamed to http-metrics
  • Deprecated: enableGatewayAPI/enableGatewayAPIListenerSet in favor of gatewayAPI.enabled/enableListenerSet; cainjector's ServerSideApply feature gate also deprecated (old fields still work)
  • New features: experimental ACME Renewal Information (ARI) support, Vault AWS IAM auth (IRSA/EKS Pod Identity), Certificate renewalPolicies field, and a FIPS 140-3 compatible Modern2026 PKCS#12 profile
  • Gateway API additions: http01-parentreffallback annotation for TLS-only ListenerSets and ignore-tls-listeners annotation
  • Notable bug fixes: renewBeforePercentage integer overflow for long-duration certs, infinite re-issuance loop on expired issuer certs, ACME challenges now retry transient network errors instead of failing terminally
  • Plus roughly a dozen smaller items: DoH response size cap, Vault path traversal validation, DNS secret pre-validation, cainjector --ignore-namespaces, startupapicheck cleanup TTL, Debian 13 base images
Source

etcd

Kubernetes CoreJul 8, 2026

etcd v3.7.0 is a security release: its one grounded change closes a HIGH-severity CRL enforcement bypass on the gRPC listener that occurs when --listen-client-http-urls is set (GHSA-3wh4-j44w-pg92). The upgrade guide mentions other possible breaking changes, but the provided notes give no detail on them.

  • securityCRL enforcement bypass on gRPC listener fixed

    When --listen-client-http-urls is configured, certificate revocation lists (CRLs) were not enforced on the gRPC listener, allowing connections that should have been rejected by the CRL. Upgrade to v3.7.0 if you rely on CRL enforcement for client or peer authentication (GHSA-3wh4-j44w-pg92).

Key changes (2)
  • Security: CRL enforcement bypass on the gRPC listener fixed when --listen-client-http-urls is configured, rated HIGH (GHSA-3wh4-j44w-pg92)
  • Upgrade guide flags possible breaking changes for v3.7.0, but no specifics are given in the available changelog text
Source

Thanos

ObservabilityJul 8, 2026

Thanos v0.42.0 is a mixed release: it patches a critical gRPC authorization-bypass vulnerability (CVE-2026-33186, CVSS 9.1) that could defeat path-based deny rules, alongside several breaking flag removals in Receive and Store, a gRPC keepalive policy change, and a batch of new TLS/cipher configuration options. Upgrade promptly for the security fix, but review the removed flags and renamed Query-Frontend field before rolling out.

  • securityFix critical gRPC authorization bypass (CVE-2026-33186)

    A malformed `:path` header in gRPC requests can bypass path-based "deny" rules in `grpc/authz` interceptors, effectively defeating authorization checks. Fixed via an updated `thanos-community/grpc-go` fork. CVSS 9.1, critical, tracked as CVE-2026-33186. Upgrade to v0.42.0 immediately if you rely on gRPC path-based authorization.

  • breakingReceive: --shipper.ignore-unequal-block-size removed

    `--shipper.ignore-unequal-block-size` is gone. TSDB now delays compaction until the shipper finishes uploading blocks, so compaction can safely proceed during upload without the risk this flag used to guard against. Remove any references to it from Receive configs.

  • breakingStore: --debug.advertise-compatibility-label removed

    `--debug.advertise-compatibility-label` is gone and Store no longer advertises the `@thanos_compatibility_store_type=store` external label by default. This breaks compatibility with Thanos Query instances older than v0.8.0; upgrade Queriers first if you still run pre-v0.8.0 components.

  • breakingQuery-Frontend: time_taken field renamed to time_taken_ms

    The Query-Frontend JSON field `time_taken` is now `time_taken_ms`, aligning naming with its unit for easier log parsing. Update any log collector rules or dashboards that key off the old field name.

Key changes (8)
  • Critical: gRPC authorization bypass via malformed :path headers fixed (CVE-2026-33186, CVSS 9.1) by bumping the thanos-community/grpc-go fork
  • Breaking: Receive drops --shipper.ignore-unequal-block-size; TSDB now delays compaction until shipper upload completes instead
  • Breaking: Store drops --debug.advertise-compatibility-label, no longer advertising the store-type compatibility label by default (breaks pre-v0.8.0 Query compatibility)
  • Breaking: Query-Frontend JSON field time_taken renamed to time_taken_ms
  • All gRPC servers now enforce a KeepaliveEnforcementPolicy with MinTime 10s, matching client keepalive interval
  • New TLS/cipher configuration options added across components: --grpc-server-tls-ciphers/-curves, Receive's remote-write TLS cipher/curve flags, and per-endpoint TLS support in Query
  • Several bugfixes: exemplar proxy label stripping in multi-tier Query setups, OTLP tracing TLS config being ignored, a Query-Frontend panic in AnalyzesMerge, spurious Receive 503s on restart, and tenant ID path-traversal validation in Receive
  • Plus smaller enhancements: TSDB stats endpoint on Ruler/Sidecar gRPC servers, os.Root filesystem confinement for Receive/Compact/Sidecar, Rueidis SendToReplicas support, and S3 directory marker cleanup in Compactor
Source

gRPC

Networking & MessagingJul 8, 2026

gRPC v1.82.1 is a narrow patch release that only raises the Python protobuf lower bound from 6.33.5 to 7.35.1. This is a breaking change for anyone pinned to an older protobuf release and should be checked before upgrading.

  • breakingprotobuf lower bound raised to 7.35.1

    The minimum required protobuf version has moved from 6.33.5 to 7.35.1. Projects pinned to protobuf below 7.35.1 will fail to resolve dependencies against this gRPC release and need to bump their protobuf pin before upgrading.

Key changes (1)
  • Python dependency constraint: protobuf minimum raised from 6.33.5 to 7.35.1
Source

Tekton

CI/CD & App DeliveryJul 8, 2026

Tekton v1.6.5 is a routine patch release that upgrades the Go toolchain to 1.25.10 to address medium-severity CVEs. No breaking changes or new features are included.

  • securityApply Go toolchain CVE fixes

    Tekton v1.6.5 upgrades Go to 1.25.10 to fix medium-severity CVEs in the toolchain. Upgrade to v1.6.5 to apply the patch.

Key changes (1)
  • Go bumped to 1.25.10 for CVE remediation
Source

Tekton

CI/CD & App DeliveryJul 8, 2026

Tekton v1.9.6 is a security patch that remediates CVEs by bumping Go and two key golang.org dependencies. A build hygiene fix replacing LICENSE symlinks with files is also included.

  • securityApply dependency CVE remediations

    Tekton v1.9.6 bumps Go to 1.25.10 and updates golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 to address CVEs in those dependencies. Upgrade to receive these remediation fixes.

Key changes (2)
  • Go bumped to 1.25.10, golang.org/x/crypto to v0.52.0, and golang.org/x/net to v0.55.0 for CVE remediation
  • Build hygiene: kodata LICENSE symlinks replaced with actual files
Source

Rook

Storage & DataJul 7, 2026

Rook v1.20.2 is a routine patch release for the Ceph operator: it tightens the mgr NetworkPolicy to ingress-only, bumps Ceph to v20.2.2 and ceph-csi-operator to v1.0.4, and ships a batch of smaller bug fixes and enhancements. No breaking changes or CVEs are included.

  • securitymgr NetworkPolicy restricted to ingress-only

    The mgr NetworkPolicy is now restricted to ingress-only traffic, tightening the default network posture for the Ceph manager pod (#17827). Review your NetworkPolicy setup after upgrading if you rely on egress rules for mgr.

Key changes (6)
  • mgr NetworkPolicy tightened to ingress-only, reducing egress exposure for the Ceph manager (#17827)
  • Ceph bumped to v20.2.2 and ceph-csi-operator to v1.0.4
  • Node watcher now reconciles on node label/annotation changes and skips during initial cache sync to avoid spurious loops
  • Stale VolumeAttachment resources are now cleaned up on unmount in external clusters
  • Floating mon reschedule time reduced for faster failover
  • Several smaller fixes: config overrides now end with a trailing newline, OSD raw activate fallback no longer misclassifies rbd devices, realm access keys are now URL-safe, plus example NetworkPolicy CRs and new API support for muting Ceph warnings
Source

Flux

CI/CD & App DeliveryJul 7, 2026

Flux v2.9.1 is a patch release fixing a CRD schema corruption bug where post-build variable substitution could clobber Flux's own CRD fields, plus smaller fixes for SOPS .ini decryption and a dry-run strategic merge patch error. No breaking changes, deprecations, or CVEs are disclosed.

  • breakingCRD schema corruption from post-build substitution is fixed

    Post-build variable substitution in Kustomizations could accidentally match and corrupt Flux's own CRD schema fields when a manifest contained ${...} sequences overlapping those field names. This affected Kustomizations with post-build substitution enabled. Fixed by annotating Flux CRDs with kustomize.toolkit.fluxcd.io/substitute: disabled. Upgrade to v2.9.1 if you use post-build substitution.

Key changes (3)
  • Fixed CRD schema corruption caused by post-build variable substitution matching Flux's own CRD fields; Flux CRDs are now annotated with kustomize.toolkit.fluxcd.io/substitute: disabled
  • Fixed SOPS .ini file decryption
  • Fixed a dry-run error in strategic merge patch handling
Source

OpenTelemetry

ObservabilityJul 7, 2026

OpenTelemetry Collector v0.156.0 is a bugfix rollup with one operator-relevant behavior change: the memory_limiter processor switches from continuous forced GC to exponential backoff, with the cap exposed via two new config fields. Several targeted fixes address permanent-error handling in otlp_http, receiver startup ordering, env var nil resolution, and retry config validation.

  • enhancementmemory_limiter GC backoff now configurable via two new fields

    The memory_limiter processor now backs off GC calls exponentially when GC is deemed ineffective (soft limit still exceeded and less than 5% memory reclaimed). The backoff cap is controlled by max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited, both defaulting to 30s. If you tune GC aggressiveness, review these new fields; the default behavior changes from continuous forced GC to capped backoff.

Key changes (7)
  • memory_limiter processor: forced GC now uses exponential backoff when ineffective, capped by new fields max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited (default 30s each)
  • otlp_http exporter: parse errors on truncated 2xx response bodies are now permanent errors, preventing duplicate exports on retry
  • pkg/service: receivers now start only after all other components have fully initialized, fixing a race with shared-implementation receivers like OTLP
  • env provider: an unset variable with ${env:VAR:-} syntax now resolves to empty string instead of nil
  • configretry BackOffConfig fields validated regardless of the Enabled flag
  • memory_limiter processor now emits componentstatus health events reflecting its current state
  • mdatagen enhancements: stability levels for resource attributes, semantic convention references, field_name option in go_struct, enum validator support, and distinct named Go types for primitive exported config schemas
Source

Lima

Kubernetes CoreJul 3, 2026

Lima v2.1.4 is a routine patch release with a handful of cherry-picked bug fixes, a nerdctl bump, and small CLI/template improvements. No breaking changes, security fixes, or deprecations are included.

Key changes (5)
  • Bugfix: xorrisofs flag now only added to the xorrisofs command
  • Bugfix: QEMU falls back from hvf to tcg on macOS when hvf is unavailable
  • Dependency: nerdctl bumped from v2.3.3 to v2.3.4
  • Templates updated, freebsd-15 now supports 9p mounts
  • Enhancement: limactl network list --json now includes the network name
Source

Open Policy Agent (OPA)

SecurityJul 2, 2026

OPA v1.18.2 is a routine patch that restores the original newline-preservation behavior in `opa fmt`. Policies that were already correctly formatted will no longer be rewritten when the formatter runs.

Key changes (1)
  • Fixes a regression in `opa fmt` (introduced in v1.18.0) where single-item collections (arrays, objects, sets) were always expanded onto multiple lines regardless of the source formatting, causing spurious diffs on already-formatted policies
Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.35.5 is a routine patch with two bug fixes: ImageRef now stays consistent across restarts, and the gomaxprocs hook calculation has been adjusted to reduce potential scheduler throttling. No breaking changes, security advisories, or API modifications are included.

Key changes (2)
  • Fixed ImageRef inconsistency in container status after CRI-O restart (repo@digest reverted to raw image ID hash)
  • Updated gomaxprocs hook to ignore workload partitioning during injection decisions, and set a floor of double the requested CPUs to reduce Go scheduler throttling
Source
Older →
Browse by month