RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Envoy

Networking & MessagingYesterdayJul 14, 2026

Envoy v1.39.0 is a major release combining several breaking behavior changes (mandatory keyUsage enforcement, disabled DLB balancer, stricter TLS inspector validation, changed OTel sampling behavior) with a large batch of roughly 20 medium-severity CVE fixes spanning HTTP/2, HTTP/3, ext_authz, ext_proc, OAuth2, DNS, and several other subsystems. It also ships extensive non-actionable feature and performance work, including dynamic-modules extension points and a new streaming JSON parser for AI protocols.

  • securityBroad CVE batch fixed across core protocol and extension code

    This release fixes roughly 20 CVEs across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression, all rated medium by the notes. Notable ones include HTTP/2 cookie-based header-limit bypass (CVE-2026-47774), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and Zstd decompression memory exhaustion (CVE-2026-48044). The fixes ship in v1.39.0.

  • securityOAuth2 cookie encryption moves to AES-256-GCM (opt-in migration)

    OAuth2 adds AES-256-GCM cookie encryption to address CVE-2026-47775, replacing the older CBC-based scheme. Migration is opt-in: enable oauth2_use_gcm_encryption, monitor the oauth_legacy_cbc_decrypt metric, then disable oauth2_legacy_cbc_decrypt_compat once legacy decryption is no longer observed.

  • breakingCertificate keyUsage enforcement is now mandatory

    Envoy now always enforces the certificate keyUsage extension; the enforce_rsa_key_usage field is deprecated and ignored. This applies unconditionally starting in v1.39.0, so certificates that previously relied on lax enforcement may now fail validation.

  • breakingDLB connection balancer disabled in all builds

    The Intel DLB connection balancer (envoy.network.connection_balance.dlb) is disabled in all builds because of a broken source archive. This applies wherever that extension is configured.

  • breakingTLS inspector now rejects out-of-range client TLS versions

    The TLS inspector now validates that client TLS versions fall between 1.0 and 1.3, rejecting anything outside that range. The check is unconditional in v1.39.0 but can be reverted with envoy.reloadable_features.tls_inspector_enforce_client_tls_version.

  • breakingOTel tracing now defers to Envoy's own sampling decision

    The OpenTelemetry tracer now honors Envoy's own request-entry sampling decision, including overall_sampling, even when a propagated trace context or configured sampler requests sampling. This applies to deployments relying on downstream or context-based sampling overriding Envoy's local config, and may reduce the volume of exported spans.

Key changes (8)
  • Roughly 20 medium-severity CVE fixes across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression; notable ones include CVE-2026-47774 (HTTP/2 cookie header-limit bypass), GHSA-p7c7-7c47-pwch (HTTP/3 QPACK DoS), and CVE-2026-48044 (Zstd memory exhaustion)
  • OAuth2 gains AES-256-GCM cookie encryption (CVE-2026-47775) with an opt-in, staged migration path off legacy CBC decryption
  • Certificate keyUsage enforcement is now mandatory (enforce_rsa_key_usage deprecated); TLS inspector now rejects client TLS versions outside 1.0-1.3
  • Intel DLB connection balancer extension disabled in all builds due to a broken source archive
  • OpenTelemetry tracer now defers to Envoy's own sampling decision (including overall_sampling), which may reduce exported spans
  • Unified DNS cluster implementation is now the default, enabling shared c-ares resolvers and qcache across clusters
  • HeaderMatcher now matches separately supplied header values individually rather than only their comma-joined form (revertible via feature gate)
  • Large non-actionable batch: dynamic-modules extension points and Rust SDK, new Wuffs-based streaming JSON parser for MCP/A2A/OpenAI/Anthropic, new bandwidth-sharing and sub-filter-chain HTTP filters, CNSA/post-quantum TLS policies, io_uring and SO_REUSEPORT BPF performance work, plus numerous bugfixes (connection-pool re-entrancy, DNS resolver leaks, Golang filter re-entry)
Source

Backstage

CI/CD & App DeliveryYesterdayJul 14, 2026

Backstage v1.53.0 is a feature release with seven breaking changes across auth, CLI, and API layers. The SSE MCP transport, proxy agent bootstrap, and OpenAPI testing CLI commands are removed; OAuth redirect validation is tightened to reject wildcards crossing host-path boundaries and embedded credentials; config-loader enforces strict type checking; and EntityContextMenuItemBlueprint changes output structure. Optic is replaced by oasdiff for OpenAPI tooling. Numerous bugfixes address TechDocs, Scaffolder, and catalog issues; new features include breadcrumbs framework, user settings storage, and extended auth/database options. No security fixes are included.

  • breakingSSE MCP transport removed

    The Server-Sent Events (SSE) transport for MCP actions has been removed from @backstage/plugin-mcp-actions-backend. If your deployment uses the SSE transport, switch to the Streamable HTTP endpoint or update your MCP configuration.

  • breakingStricter config-loader type validation

    Config-loader now validates imported types in TypeScript configuration schemas instead of treating them as unconstrained. Invalid imports will cause schema loading to fail. Review your configuration schemas for unresolved or missing type imports.

  • breakingTighter OAuth redirect URI and CIMD allowlist matching

    Wildcard patterns in OAuth redirect URIs are now constrained: patterns must include an explicit protocol, wildcards no longer match across host and path boundaries, and embedded credentials are always rejected. Patterns like http://localhost:* now match only the root path; use http://localhost:*/* to allow any path. Update your auth configuration to match this stricter syntax.

  • breakingEntityContextMenuItemBlueprint output type change

    The EntityContextMenuItemBlueprint API now outputs menu item data instead of a rendered MUI element; the icon type is now IconElement. Update any code that depends on the catalog entity context menu to use the new data structure.

  • breakingLegacy proxy agent bootstrap removed

    The bootstrapEnvProxyAgents export has been removed from @backstage/cli-common, along with global-agent and undici dependencies. If you rely on this export, use Node's native NODE_USE_ENV_PROXY environment variable instead.

  • breakingOpenAPI CLI commands and wrapInOpenApiTestServer removed

    The package schema openapi init and repo schema openapi test CLI commands have been removed. Runtime OpenAPI validation is still available via wrapServer from @backstage/backend-openapi-utils/testUtils. The wrapInOpenApiTestServer function has also been removed; use wrapServer instead.

  • breakingOpenAPI tooling switched from Optic to oasdiff

    Optic (@useoptic/optic and @useoptic/openapi-utilities) has been replaced with oasdiff in @backstage/repo-tools for OpenAPI breaking change detection. Update any tooling or CI/CD pipelines that reference Optic.

Key changes (10)
  • SSE MCP transport removed from @backstage/plugin-mcp-actions-backend; use Streamable HTTP endpoint
  • Config-loader now enforces strict type validation; invalid imports cause schema load failure
  • OAuth redirect URI validation tightened: explicit protocol required, credentials rejected, wildcards constrained (http://localhost:* matches root only; use http://localhost:*/* for any path)
  • EntityContextMenuItemBlueprint changed to output data instead of MUI elements (icon is now IconElement)
  • bootstrapEnvProxyAgents removed from @backstage/cli-common; use NODE_USE_ENV_PROXY instead
  • OpenAPI CLI commands (package schema openapi init, repo schema openapi test) and wrapInOpenApiTestServer removed; use wrapServer
  • Optic replaced with oasdiff for OpenAPI breaking change detection in @backstage/repo-tools
  • Catalog entity page migration to BUI and entity header extension deprecation in progress
  • Fixes for TechDocs metadata loop, DatabaseTaskStore string cast, Bitbucket pickers, catalog export crashes, EntityTypePicker regression, scheduled task registration, React key warnings, Kubernetes schema inclusion, yeoman-environment v4 compatibility, and TechDocs blank page rendering
  • Enhancements: breadcrumbs framework, TextAreaField UI component, react-aria-components re-export, user settings plugin, multi-config BACKSTAGE_ENV stacking, Azure DevOps webhooks, CIMD token revocation, Redis connection options, S3 PrivateLink, Auth0 prompt parameters, embedded postgres flags, extension predicate action attributes
Source

CoreDNS

Kubernetes CoreJul 10, 2026

CoreDNS v1.14.5 is a maintenance release improving DoH/DoH3 transport safety and forward plugin robustness with per-upstream read timeout configuration. Three behavior changes affect TLS defaults, DoQ timeout handling, and forward plugin configuration; no CVE fixes.

  • breakingTLS defaults switch to Go standard library

    CoreDNS v1.14.5 now uses Go's standard TLS defaults instead of custom configuration. Review and test any TLS-dependent setups, particularly for DoH/DoH3 transport, to ensure compliance with your security requirements.

  • breakingDoQ stream reads now bounded by server timeout

    DNS over QUIC (DoQ) stream reads are now bounded by the server read timeout. Check if your DoQ deployments have appropriate read timeout values configured; streams that previously hung indefinitely will now time out.

  • enhancementPer-upstream read timeout now configurable

    The forward plugin now accepts per-upstream read timeout configuration. If you have asymmetric upstream latency or need fine-grained control per resolver, you can now configure this; existing setups continue to use the server-level read timeout.

Key changes (7)
  • TLS now uses Go defaults instead of custom config
  • DoQ stream reads bounded by server read timeout; configure appropriately
  • Forward plugin: per-upstream read timeout configuration added
  • Forward plugin now supports DoH; dnstap FORWARDER_* events reflect upstream socket details
  • Forward plugin restored ability to continue when config file is empty
  • Transfer targets can include scoped IPv6 addresses; dnstap and NXDOMAIN classification improvements
  • Plugin fixes: dnstap connection reuse and listener deadlock, file SOA/wildcard handling, rewrite nil-pointer panic and question restoration, secondary catalog parsing, hosts data race and wildcard support, kubernetes AXFR panic, erratic truncate default, plus ~6 smaller robustness fixes
Source

SPIRE

SecurityJul 9, 2026

SPIRE v1.15.2 is a mixed release addressing security concerns through docker/docker to moby/moby migration (resolving CVEs) and a HIGH-severity delegated identity API restriction preventing JWT-SVID exposure for admin or downstream entries. The release also introduces the SPIFFE Broker, per-caller rate limiting, TLS metrics endpoint support, and numerous performance and compatibility improvements across multiple attestors and plugins.

  • securityResolve docker/docker CVEs via moby/moby migration

    docker/docker dependencies have been migrated to moby/moby equivalents to resolve Docker/Moby CVEs. Upgrade to v1.15.2.

  • breakingDelegated API no longer serves JWT-SVIDs for admin/downstream entries

    The delegated identity API no longer serves JWT-SVIDs for admin or downstream entries. If you use the delegated identity API with admin or downstream entries, verify that clients no longer depend on JWT-SVID tokens from those entry types.

Key changes (7)
  • Security: docker/docker migrated to moby/moby to resolve CVEs
  • Security: Delegated identity API restricted—no longer serves JWT-SVIDs for admin or downstream entries
  • Enhancement: Per-caller rate limiting for agent Workload API and Envoy SDS
  • Enhancement: TLS support for Prometheus metrics endpoint with optional SPIFFE ID allowlist
  • Enhancement: SPIFFE Broker endpoint and API introduced
  • Performance: Attested nodes now fetched in bulk; optimized MySQL list entries query for reduced database load
  • Plus 16 additional features, fixes, and improvements: post-quantum cryptography curves, aws_kms tag-based discovery, azure_imds fixes, CA journal durability, structured logging, Windows SE_DEBUG_PRIVILEGE support, and more
Source

TiKV

Storage & DataJul 9, 2026

TiKV/TiDB v8.5.7 is a mixed release combining several default/behavior changes operators must review (stricter max_ts and NOT NULL validation, auto IndexMerge, TiDB Lightning web UI removal, resource-control metric relabeling) with a security-relevant dependency upgrade and a broad set of new features, performance work, and bug fixes.

  • securityVulnerable TiKV third-party dependencies patched

    This release upgrades vulnerable third-party dependencies used by TiKV 8.5 and aligns required compatibility fixes with upstream, improving stability and security. Upgrade to pick up the patched dependencies.

  • breakingmax_ts invalid-update handling now errors by default

    TiKV now rejects max_ts updates confirmed invalid instead of only logging them. If you rely on the previous log-only behavior, set storage.max-ts.action-on-invalid-update to log before upgrading.

  • breakingFix control 52869 (auto IndexMerge) enabled by default

    TiDB now enables optimizer fix control 52869 by default, letting the optimizer consider IndexMerge automatically when alternative indexes exist. This can change query plans in some cases; review plans for sensitive queries after upgrade.

  • breakingStrict NOT NULL validation on INSERT enabled by default

    tidb_enable_strict_not_null_check now defaults to ON, enforcing strict validation when an INSERT explicitly writes NULL into a NOT NULL column. Statements that previously succeeded may now fail; audit INSERT paths that rely on lenient NULL handling.

  • breakingResource-control background metrics lose resource_group label

    TiKV background resource-control metrics are now aggregated globally via a single rate limiter, dropping the per resource_group label. Update dashboards and alerting rules that filter or group by resource_group for background metrics.

  • breakingTiDB Lightning web interface removed

    TiDB Lightning drops its web interface starting in v8.5.7. Switch to the command-line tools tidb-lightning for import tasks and tidb-lightning-ctl for checkpoint and troubleshooting operations.

Key changes (8)
  • TiKV rejects invalid max_ts updates by default instead of just logging them (revert via storage.max-ts.action-on-invalid-update=log)
  • Optimizer fix control 52869 (auto IndexMerge) is now enabled by default and can shift query plans
  • tidb_enable_strict_not_null_check now defaults to ON, causing stricter INSERT NULL validation
  • TiKV background resource-control metrics are now aggregated without the resource_group label; dashboards/alerts need updating
  • TiDB Lightning web interface removed; use tidb-lightning / tidb-lightning-ctl CLI tools instead
  • Vulnerable third-party dependencies patched across TiKV 8.5 for stability and security
  • New features: CPU-aware hot Region read scheduling in PD/TiKV, partial index support, per-user connection limits, TiCDC table routing
  • Plus various performance work (fail-fast on disk I/O hangs, fairer read-pool scheduling) and bug fixes across TiKV memory usage, PD resource control, BR log backup, and TiCDC stability
Source

cert-manager

SecurityJul 8, 2026

cert-manager v1.21.0 is a mixed release: it ships a security-hardening RBAC restriction (GHSA-8rvj-mm4h-c258) plus two other breaking Helm/RBAC changes, alongside new ARI, Vault AWS-IAM, and Gateway API capabilities and several bug fixes. Operators should review Helm values and RBAC assumptions before upgrading.

  • securityReview cert-manager-edit permissions after Challenge/Order create rights removed

    cert-manager-edit no longer grants create on Challenge resources or create/patch/update on Order resources, closing a path where a user with edit access could tamper with ACME validation flow. Fixed upstream in v1.20.3 and carried into v1.21.0; upgrade if your tooling or users create Challenge/Order resources directly, since those workflows will need the cert-manager-approve or a custom role instead.

  • breakingDefault tokenrequest RBAC for the controller ServiceAccount removed

    The Helm chart no longer creates the default Role/RoleBinding granting serviceaccounts/token: create to the controller's own ServiceAccount. This only affects clusters relying on the undocumented pattern of serviceAccountRef.name pointing at the controller's ServiceAccount; those setups need an explicit RBAC grant added post-upgrade.

  • breakingRemove deprecated Prometheus Helm values before upgrading

    prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path are gone from the Helm values schema (the ServiceMonitor port was also renamed from tcp-prometheus-servicemonitor to http-metrics). Any values override still setting these keys will fail Helm's schema validation on upgrade; scrub them from your values files first.

Key changes (8)
  • Security: cert-manager-edit ClusterRole restricted, removing Challenge/Order create-patch-update rights (GHSA-8rvj-mm4h-c258, fixed since v1.20.3)
  • Breaking: default RBAC for controller ServiceAccount tokenrequest creation removed from the Helm chart
  • Breaking: legacy Prometheus Helm values (servicemonitor.targetPort/path, podmonitor.path) removed; ServiceMonitor port renamed to http-metrics
  • Deprecated: enableGatewayAPI/enableGatewayAPIListenerSet in favor of gatewayAPI.enabled/enableListenerSet; cainjector's ServerSideApply feature gate also deprecated (old fields still work)
  • New features: experimental ACME Renewal Information (ARI) support, Vault AWS IAM auth (IRSA/EKS Pod Identity), Certificate renewalPolicies field, and a FIPS 140-3 compatible Modern2026 PKCS#12 profile
  • Gateway API additions: http01-parentreffallback annotation for TLS-only ListenerSets and ignore-tls-listeners annotation
  • Notable bug fixes: renewBeforePercentage integer overflow for long-duration certs, infinite re-issuance loop on expired issuer certs, ACME challenges now retry transient network errors instead of failing terminally
  • Plus roughly a dozen smaller items: DoH response size cap, Vault path traversal validation, DNS secret pre-validation, cainjector --ignore-namespaces, startupapicheck cleanup TTL, Debian 13 base images
Source

Thanos

ObservabilityJul 8, 2026

Thanos v0.42.0 is a mixed release: it patches a critical gRPC authorization-bypass vulnerability (CVE-2026-33186, CVSS 9.1) that could defeat path-based deny rules, alongside several breaking flag removals in Receive and Store, a gRPC keepalive policy change, and a batch of new TLS/cipher configuration options. Upgrade promptly for the security fix, but review the removed flags and renamed Query-Frontend field before rolling out.

  • securityFix critical gRPC authorization bypass (CVE-2026-33186)

    A malformed `:path` header in gRPC requests can bypass path-based "deny" rules in `grpc/authz` interceptors, effectively defeating authorization checks. Fixed via an updated `thanos-community/grpc-go` fork. CVSS 9.1, critical, tracked as CVE-2026-33186. Upgrade to v0.42.0 immediately if you rely on gRPC path-based authorization.

  • breakingReceive: --shipper.ignore-unequal-block-size removed

    `--shipper.ignore-unequal-block-size` is gone. TSDB now delays compaction until the shipper finishes uploading blocks, so compaction can safely proceed during upload without the risk this flag used to guard against. Remove any references to it from Receive configs.

  • breakingStore: --debug.advertise-compatibility-label removed

    `--debug.advertise-compatibility-label` is gone and Store no longer advertises the `@thanos_compatibility_store_type=store` external label by default. This breaks compatibility with Thanos Query instances older than v0.8.0; upgrade Queriers first if you still run pre-v0.8.0 components.

  • breakingQuery-Frontend: time_taken field renamed to time_taken_ms

    The Query-Frontend JSON field `time_taken` is now `time_taken_ms`, aligning naming with its unit for easier log parsing. Update any log collector rules or dashboards that key off the old field name.

Key changes (8)
  • Critical: gRPC authorization bypass via malformed :path headers fixed (CVE-2026-33186, CVSS 9.1) by bumping the thanos-community/grpc-go fork
  • Breaking: Receive drops --shipper.ignore-unequal-block-size; TSDB now delays compaction until shipper upload completes instead
  • Breaking: Store drops --debug.advertise-compatibility-label, no longer advertising the store-type compatibility label by default (breaks pre-v0.8.0 Query compatibility)
  • Breaking: Query-Frontend JSON field time_taken renamed to time_taken_ms
  • All gRPC servers now enforce a KeepaliveEnforcementPolicy with MinTime 10s, matching client keepalive interval
  • New TLS/cipher configuration options added across components: --grpc-server-tls-ciphers/-curves, Receive's remote-write TLS cipher/curve flags, and per-endpoint TLS support in Query
  • Several bugfixes: exemplar proxy label stripping in multi-tier Query setups, OTLP tracing TLS config being ignored, a Query-Frontend panic in AnalyzesMerge, spurious Receive 503s on restart, and tenant ID path-traversal validation in Receive
  • Plus smaller enhancements: TSDB stats endpoint on Ruler/Sidecar gRPC servers, os.Root filesystem confinement for Receive/Compact/Sidecar, Rueidis SendToReplicas support, and S3 directory marker cleanup in Compactor
Source

gRPC

Networking & MessagingJul 8, 2026

gRPC v1.82.1 is a narrow patch release that only raises the Python protobuf lower bound from 6.33.5 to 7.35.1. This is a breaking change for anyone pinned to an older protobuf release and should be checked before upgrading.

  • breakingprotobuf lower bound raised to 7.35.1

    The minimum required protobuf version has moved from 6.33.5 to 7.35.1. Projects pinned to protobuf below 7.35.1 will fail to resolve dependencies against this gRPC release and need to bump their protobuf pin before upgrading.

Key changes (1)
  • Python dependency constraint: protobuf minimum raised from 6.33.5 to 7.35.1
Source

Flux

CI/CD & App DeliveryJul 7, 2026

Flux v2.9.1 is a patch release fixing a CRD schema corruption bug where post-build variable substitution could clobber Flux's own CRD fields, plus smaller fixes for SOPS .ini decryption and a dry-run strategic merge patch error. No breaking changes, deprecations, or CVEs are disclosed.

  • breakingCRD schema corruption from post-build substitution is fixed

    Post-build variable substitution in Kustomizations could accidentally match and corrupt Flux's own CRD schema fields when a manifest contained ${...} sequences overlapping those field names. This affected Kustomizations with post-build substitution enabled. Fixed by annotating Flux CRDs with kustomize.toolkit.fluxcd.io/substitute: disabled. Upgrade to v2.9.1 if you use post-build substitution.

Key changes (3)
  • Fixed CRD schema corruption caused by post-build variable substitution matching Flux's own CRD fields; Flux CRDs are now annotated with kustomize.toolkit.fluxcd.io/substitute: disabled
  • Fixed SOPS .ini file decryption
  • Fixed a dry-run error in strategic merge patch handling
Source

Harbor

Storage & DataJul 2, 2026

Harbor v2.15.2 is a maintenance patch backporting the 2.15.0 security hardening set (blob-mount token validation, crypto/SMTP cleanup) plus the Redis-to-Valkey cache backend swap, alongside a large batch of UI/UX fixes following the Angular 21/Clarity v18 upgrade. No critical or high severity issues are involved; upgrade at normal patch cadence, but check external Redis/Valkey compatibility first.

  • securityBlob-mount token validation hardened

    Blob-mount now validates that the source project matches and rejects tokens missing the 'iat' claim, closing a gap that could let a token be replayed or misused across projects during blob mounting. No configuration change is needed, just upgrade.

  • securityCrypto usage hardened, unused SMTP package dropped

    Harbor tightened internal crypto usage and dropped the unused SMTP package, reducing attack surface. Rated low severity; upgrade covers it, no action required beyond that.

  • breakingCache backend switched from Redis to Valkey

    The cache backend moves from Redis to Valkey. If you run external Redis, or reference redis-specific config/images/health checks in your deployment, verify compatibility with Valkey before or during the upgrade.

  • breakingInternal YAML library replaced

    Harbor's YAML library changed from gopkg.in/yaml.v2 to github.com/goccy/go-yaml internally. This is an internal dependency swap with no expected operator-facing change, but flag it if you parse Harbor-generated YAML with strict schema assumptions.

  • breakingRegistry pinned to stable v2.8.3-harbor.1

    The bundled registry component now tracks the stable v2.8.3-harbor.1 tag instead of an rc.5 pre-release build, giving a more predictable registry version in this patch.

Key changes (7)
  • Blob-mount token validation hardened: rejects tokens missing 'iat' and checks source project (medium severity)
  • Crypto usage hardened and unused SMTP package removed (low severity)
  • Cache backend replaced: Redis swapped for Valkey
  • Internal dependency swaps: gopkg.in/yaml.v2 to goccy/go-yaml, registry pinned to stable v2.8.3-harbor.1
  • Harbor UI upgraded to Angular 21, Clarity v18, Node.js v22, with a large batch of accompanying UI/UX fixes (checkboxes, dark theme, i18n, job queue counts, pull command tag selection)
  • Fixed repository update_time not bumping on tag/artifact changes; Cosign verification adjusted to ignore/disable tlog
  • Plus several smaller build and packaging fixes: photon base image rebuild, net-tools removal, configurable openapi-generator/PIP_INDEX_URL, build system decoupling for 2.15
Source

Prometheus

ObservabilityJul 1, 2026

Prometheus v3.13.0 is an LTS release leading with a HIGH-severity credential-forwarding fix (CVE-2025-4673, CVE-2023-45289) and a MEDIUM XSS fix (CVE-2026-44990), alongside four breaking changes to pagination tokens, path resolution, PromQL duration function names, and license file packaging, plus a broad set of new features and performance improvements.

  • securityHIGH: Credentials no longer forwarded on cross-host redirects

    Credentials (Authorization header, basic auth, bearer token, OAuth2, and configured headers) are no longer forwarded when following a redirect to a different host. This affects scraping, remote read/write, alerting, and service discovery where credentials are configured and cross-host redirects occur. Tracked as CVE-2025-4673 and CVE-2023-45289; driven by upgrading prometheus/common from v0.68.x to v0.69.0. Review any targets or endpoints that rely on redirects, as credentials will now be dropped silently on host change.

  • securityMEDIUM: XSS fix in UI dependency (CVE-2026-44990)

    sanitize-html was bumped to fix a cross-site scripting vulnerability (CVE-2026-44990) in the Prometheus UI. No configuration change needed; upgrade to v3.13.0.

  • breakingPagination token algorithm changed from SHA-1 to SHA-256

    Rule group pagination tokens now use SHA-256 instead of SHA-1. Any client or tooling that stores or compares pagination tokens across versions will see different token values after upgrade.

  • breaking--http.config.file relative path resolution changed

    Relative file paths inside the file passed to --http.config.file are now resolved relative to that config file's own directory, not its parent directory. If you use relative paths in that config, verify they still resolve correctly after upgrading.

  • breakingDuration-expression functions min()/max() renamed to min_of()/max_of()

    If you use the experimental-duration-expr feature flag, the PromQL duration functions min() and max() have been renamed to min_of() and max_of(). Update any queries or rules that use the old names.

  • breakingnpm_licenses.tar.bz2 removed; licenses now at /assets/third-party-licenses.txt

    npm_licenses.tar.bz2 is no longer shipped in release tarballs or container images. Third-party npm license text is now embedded in the binary and served at /assets/third-party-licenses.txt. Any automation that extracted that archive needs updating.

Key changes (8)
  • HIGH security fix: credentials (auth headers, bearer token, OAuth2, basic auth) dropped on cross-host redirects, fixing CVE-2025-4673 and CVE-2023-45289 via prometheus/common v0.69.0
  • MEDIUM security fix: sanitize-html bumped to patch XSS vulnerability CVE-2026-44990 in the UI
  • Breaking: rule group pagination tokens now SHA-256; stored tokens from older versions will differ
  • Breaking: --http.config.file relative paths now resolved relative to the config file's directory, not its parent
  • Breaking: duration-expression functions min()/max() renamed to min_of()/max_of() (experimental-duration-expr flag only)
  • Breaking: npm_licenses.tar.bz2 removed from tarballs/images; licenses served from /assets/third-party-licenses.txt in the binary
  • New experimental API search endpoints for metric names, label names, and label values; AWS RDS filtering; Scaleway VPC/IPAM-only instance support; native histogram smoothed/anchored rate; per-query samplesRead stats; Azure Monitor Workspace certificate support; container images on ghcr.io
  • Performance: case-insensitive prefix matching up to ~2x faster; per-sample chunk overhead down ~12-15%; V2 histogram WAL decoder allocations cut up to 50% (up to 10% memory reduction for native-histogram deployments with created-timestamp storage); plus multiple PromQL panic and TSDB corruption fixes
Source

Longhorn

Storage & DataJul 1, 2026

Longhorn v1.11.3 is a bugfix rollup addressing over a dozen stability issues across volume operations, backups, and instance management. One upgrade prerequisite applies: the CSI external provisioner is now v6.3.0, requiring Kubernetes v1.34 or later when upgrading from v1.10.x or v1.11.0.

  • breakingKubernetes v1.34+ required when upgrading from v1.10.x or v1.11.0

    The bundled CSI external provisioner is bumped to v6.3.0, which requires Kubernetes v1.34 or later. If your cluster runs an older Kubernetes version and you are upgrading from Longhorn v1.10.x or v1.11.0, bring Kubernetes to v1.34+ first before applying this upgrade.

Key changes (7)
  • CSI external provisioner bumped to v6.3.0: clusters must run Kubernetes v1.34+ before upgrading from v1.10.x or v1.11.0
  • Fixed iscsid restarts leaving V1 volumes inoperable, blocking PVC resize and other volume operations
  • Fixed nil pointer dereference panic in longhorn-instance-manager during replica rebuild
  • Fixed deadlock causing recurring trim jobs to fail, and separate fixes for volume expansion getting stuck
  • Fixed migration engine being deleted while target node was still transitioning to ready
  • Fixed backup uploads to S3 failing on NetApp appliances, and fixed System Backup RecurringJob incorrectly pruning the newest CR
  • Fixed longhorn-manager panic in BackupController during backup deletion, plus HTTP response body leaks in support bundle and webhook polling; reduced webhook TLS Secret contention at scale
Source
Browse by month