RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Rook

Storage & DataApr 14, 2026

Rook v1.19.4 is a focused patch release fixing CephObjectStoreUser capabilities, adding multi-cluster RBAC fixes, and improving OSD disk handling with forceful zap support.

  • breakingMulti-cluster deployments: apply the RBAC fix immediately

    The missing ceph-mgr RBAC role in secondary clusters could cause silent permission failures that are hard to diagnose. If you're running Rook in a multi-cluster setup, upgrade to v1.19.4 and verify ceph-mgr is operating correctly post-upgrade. Don't wait on this one.

  • enhancementForceful OSD replacement is now cleaner with disk zap

    The new disk zap behavior during forceful OSD installation removes the manual cleanup step that previously caused headaches when replacing failed OSDs. If you've been scripting around this limitation, review your runbooks — the operator now handles it directly.

  • enhancementAdd labels to RGW services for better traffic routing

    CephObjectStore RGW services now accept custom labels, which opens up more precise service mesh, load balancer, and network policy targeting. Worth adopting if you're running multiple object stores or need finer-grained traffic control.

Key changes (5)
  • CephObjectStoreUser capabilities setting now works correctly after a bug fix
  • Missing RBAC role for ceph-mgr in secondary clusters has been patched — multi-cluster deployments were silently broken
  • OSD disk zap on forceful installation added, enabling cleaner OSD replacement workflows
  • CephObjectStore RGW service now supports custom labels for better service targeting
  • CSI operator bumped to v0.6.0 and COSI sidecar image updated to latest default
Source

OpenFGA

SecurityApr 14, 2026

OpenFGA v1.14.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 14, 2026

OpenFeature core/v0.15.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 14, 2026

OpenFeature flagd/v0.15.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Backstage

CI/CD & App DeliveryApr 14, 2026

v1.50.0 is a wide-ranging release with several breaking changes across auth, frontend APIs, and catalog. Key practical upgrades: AWS RDS IAM auth, Auth0 federated logout, catalog deadlock fixes, and security patches for rollup/glob.

  • securityUpdate CLI and build tooling to pick up rollup path traversal fix

    rollup < v4.59 has a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc). The @backstage/cli, repo-tools, and several CLI modules have been updated. Run the upgrade helper and update your lockfile. If you pin rollup versions anywhere in your workspace, update those pins to v4.59+. The glob dependency was also bumped to v13 to address vulnerabilities in v7/v8/v11.

  • breakingVerify token decoding code before upgrading — ent claim removed by default

    auth.omitIdentityTokenOwnershipClaim now defaults to true, so Backstage user tokens no longer include the ent ownership claim. Any code that manually decodes tokens and reads ent will silently get nothing. Audit your codebase for raw token decoding and replace it with the userInfo core service. If you need time, set auth.omitIdentityTokenOwnershipClaim: false in your config temporarily, but plan to remove it — the setting will be dropped in a future release.

  • breakingMigrate createSchemaFromZod to configSchema before upgrading frontend-plugin-api

    The deprecated createSchemaFromZod helper is gone in @backstage/[email protected]. Any extension or blueprint using it will fail at runtime. Check the 1.50 migration docs at backstage.io/docs/frontend-system/architecture/migrations#150 and switch to the configSchema option. Note that plain zod v3 schemas are not supported — use import { z } from 'zod/v4' from the zod v3 package or upgrade to zod v4.

Key changes (7)
  • BREAKING: auth.omitIdentityTokenOwnershipClaim now defaults to true — tokens no longer carry the ent claim, which eliminates header size issues in large orgs but may affect code that explicitly decodes Backstage tokens
  • BREAKING: frontend-plugin-api removes deprecated createSchemaFromZod helper; migrate to the new configSchema option with zod v4
  • BREAKING: @backstage/ui drops React 17 support — minimum is now React 18
  • Catalog backend deadlock fix: SELECT ... FOR UPDATE SKIP LOCKED was missing transaction wrapping, causing PostgreSQL deadlocks (40P01) in multi-replica deployments
  • Security: rollup upgraded to v4.59+ (GHSA-mw96-cpmx-2vgc path traversal) and glob bumped to v13 across CLI and repo-tools packages
  • AWS RDS IAM authentication for PostgreSQL now supported in backend-defaults — use short-lived tokens instead of static passwords
  • Auth0 provider now performs federated logout, clearing the Auth0 session on sign-out; set federatedLogout: true to also clear upstream IdP sessions
Source

containerd

Kubernetes CoreApr 14, 2026

containerd v2.2.3 patches CVE-2026-35469 in spdystream and fixes several bugs including whiteout handling in parallel unpacks, TOCTOU race in tar extraction, and Go 1.24 symlink regressions.

  • securityPatch CVE-2026-35469: upgrade to v2.2.3 now

    CVE-2026-35469 affects moby/spdystream, which containerd uses for streaming connections. The fix is in spdystream v0.5.1, bundled in this release. If you're running any 2.2.x version, treat this as a mandatory upgrade — don't wait for your next maintenance window.

  • breakingParallel unpack whiteout bug could mean corrupted layer state — verify images

    A bug caused whiteout files (which signal file deletions between layers) to be ignored when parallel unpack was enabled. If you've been using parallel unpack with overlayfs, layer deletion semantics may not have applied correctly. After upgrading, re-pull any images that were unpacked in parallel to ensure their layer state is consistent.

  • enhancementGo 1.24 users on NixOS or symlink-heavy rootfs: this fixes your container startup failures

    Absolute symlink handling in rootfs user/group lookups regressed with Go 1.24. This affected systems where /etc/passwd or /etc/group are symlinks (common on NixOS-style setups). If you've seen user lookup failures or container start errors after moving to Go 1.24-built binaries, upgrading to v2.2.3 resolves this.

Key changes (5)
  • Security patch for CVE-2026-35469 via spdystream upgrade to v0.5.1
  • Fixed whiteouts being silently ignored during parallel unpack — critical for image correctness
  • TOCTOU race condition hardened in tar extraction path
  • runc updated to v1.3.5
  • Absolute symlink resolution fixed for /etc/passwd and /etc/group lookups, addressing Go 1.24 regressions on NixOS-style and similar systems
Source

containerd

Kubernetes CoreApr 14, 2026

containerd 2.0.8 patches CVE-2026-35469 in spdystream, fixes a credential leak in CRI error messages, and resolves a CNI DEL lifecycle bug after containerd restarts.

  • securityPatch CVE-2026-35469 by upgrading to 2.0.8 now

    CVE-2026-35469 lives in the moby/spdystream dependency. Details are in a GitHub security advisory. If you're running containerd 2.0.x in any cluster, upgrade to 2.0.8 — this is the primary reason for the release. Don't wait for your next maintenance window if the advisory turns out to be high severity.

  • securityCheck your pod event logs for past credential exposure

    Before this fix, registry credentials or other secrets embedded in URLs could appear in plaintext inside CRI gRPC error messages and pod events. If you're shipping pod events to a logging backend (Datadog, Splunk, ELK, etc.), audit recent logs for query parameters that shouldn't be there. Going forward, 2.0.8 redacts these before they leave containerd.

  • breakingValidate CNI network cleanup works correctly after upgrading

    The CNI DEL bug meant network namespaces and CNI plugin state weren't cleaned up when a pod was deleted after a containerd restart. This could leave stale network state on nodes. After upgrading to 2.0.8, verify that pod deletion properly invokes CNI DEL — especially on nodes that have experienced containerd restarts. If you've noticed orphaned network interfaces or IP allocation issues, this fix is the likely culprit.

Key changes (5)
  • CVE-2026-35469: spdystream updated from v0.4.0 to v0.5.1 to address the vulnerability
  • CRI error sanitization: gRPC errors and query parameters are now redacted before returning to callers, preventing credential exposure in pod events
  • CNI DEL fix: network teardown was silently skipped after a containerd restart — this is now corrected
  • SELinux library updated to v1.13.1 (opencontainers/selinux)
  • Go toolchain updated to 1.25.9 / 1.26.2
Source

containerd

Kubernetes CoreApr 14, 2026

containerd 2.1.7 patches CVE-2026-35469 in spdystream and ships several hardening fixes including credential leak prevention via gRPC and a TOCTOU race in tar extraction.

  • securityPatch CVE-2026-35469 by upgrading to 2.1.7 now

    CVE-2026-35469 in moby/spdystream is fixed in this release. spdystream is used in the CRI streaming path, so any cluster running Kubernetes workloads with exec/attach/port-forward is potentially exposed. Upgrade containerd to 2.1.7 on all nodes. No config changes needed, just a binary swap and daemon restart.

  • securityCredential leak via gRPC pod events is now closed

    Before this fix, raw errors containing registry credentials could surface in pod events visible to namespace-scoped users. If your clusters allow broad pod event access, assume credentials may have been exposed in logs or event streams. Rotate any registry pull secrets used on affected clusters, then upgrade to 2.1.7 to prevent recurrence.

  • enhancementCNI DEL fix prevents IP/resource leaks after restarts

    A bug meant CNI DEL was never called for sandboxes cleaned up after a containerd restart, leaking network resources. If you've seen stale IPs or CNI state after node restarts, this is likely why. Upgrade to 2.1.7 and consider draining nodes before restarting containerd to clear any existing leaked state.

Key changes (5)
  • CVE-2026-35469 patched via spdystream upgrade to v0.5.1
  • gRPC error sanitization prevents credential leaks in pod events
  • TOCTOU race condition fixed in tar extraction
  • CNI DEL now executes correctly after containerd restart
  • runc updated to v1.3.5; read-only bind-mount flags preserved in user namespaces
Source

containerd

Kubernetes CoreApr 14, 2026

v1.7.31 patches CVE-2026-35469 in spdystream, fixes a CNI DEL regression after restarts, and closes a credential leak in pod events via gRPC error sanitization.

  • securityPatch CVE-2026-35469 by upgrading to v1.7.31 now

    CVE-2026-35469 affects the moby/spdystream library used for SPDY multiplexing. The fix is in spdystream v0.5.1, bundled here. If you're running any 1.7.x release prior to this, upgrade immediately — especially on clusters where the CRI streaming server is exposed or where kubectl exec/attach/port-forward traffic flows through containerd.

  • securityAudit pod event logs for previously leaked credentials

    A bug caused raw error messages — potentially containing registry credentials — to be returned over gRPC and surface in pod events. After upgrading, review historical pod event logs (kubectl get events, or your log aggregation system) for any entries containing auth tokens, passwords, or image pull secrets from before this fix was applied. Rotate any credentials you find.

  • breakingVerify CNI network teardown is working correctly after upgrade

    The CNI DEL fix means containers that previously left behind stale network state after a containerd restart will now properly clean up. This is the right behavior, but if you have automation or scripts that assumed CNI DEL was idempotent-by-absence (i.e., expected cleanup to be skipped), test those workflows. Nodes with a history of unclean restarts may see cleanup activity on first pod deletion post-upgrade.

Key changes (5)
  • CVE-2026-35469: spdystream updated from v0.2.0 to v0.5.1 to address the vulnerability
  • CNI DEL now correctly executes after a containerd restart — previously orphaned network teardowns were silently skipped
  • gRPC error paths sanitized to prevent registry credentials from leaking into pod events
  • runc binary bumped to v1.3.5
  • TOCTOU race bug fixed in tar extraction
Source

NATS

Networking & MessagingApr 14, 2026

v2.12.7 is a targeted bug-fix release addressing ACL bypass vulnerabilities, multiple leafnode panics, a JetStream consumer stuck state, and an MQTT JWT regression from 2.12.6.

  • securityPatch ACL bypass bugs immediately if you use deny rules or queue groups

    Two ACL enforcement bugs are fixed here. Overlapping wildcard patterns in deny ACLs were not enforced correctly, and queue subscriptions could bypass non-queue deny rules entirely. If your security model relies on deny-based ACLs — especially with wildcards or mixed queue/non-queue subscribers — treat this as a must-upgrade. Audit your ACL configurations after upgrading to confirm expected deny behavior is active.

  • breakingMQTT users on 2.12.6 must upgrade — auth callout JWT was broken

    If you deployed 2.12.6 with MQTT clients using auth callout, JWTs were not being forwarded to the callout service, meaning your auth logic was silently bypassed or failing. This regression is fixed in 2.12.7. Upgrade immediately and verify MQTT client authentication is functioning end-to-end.

  • enhancementmax_mem_store and max_file_store can now be increased via config reload

    You can now raise JetStream storage limits without restarting the server — just update the config and reload. Decreasing is still not supported via reload. Useful for capacity adjustments during peak periods without downtime. Plan your storage sizing with headroom so you can expand reactively if needed.

Key changes (5)
  • ACL security fixes: overlapping wildcard deny patterns now enforced correctly, and queue subscriptions can no longer bypass non-queue deny rules
  • MQTT regression fix: JWT is now correctly forwarded to auth callout for MQTT clients (broken since 2.12.6)
  • JetStream consumer fix: max_ack_pending no longer gets stuck when deleted messages linger in pending state
  • Leafnode stability: multiple panic fixes including account resolution failure and pre-CONNECT guard improvements
  • JetStream performance: subject purge now scans only relevant filestore blocks; filestore cache eviction is less aggressive after writes
Source

NATS

Networking & MessagingApr 14, 2026

v2.11.16 is a security-focused patch fixing multiple ACL bypass vulnerabilities in queue subscriptions, leafnode inbound messages, and wildcard deny patterns — update immediately if you rely on NATS authorization.

  • securityACL bypass via queue subscriptions — patch now

    Queue subscribers could silently bypass deny rules intended for non-queue subscriptions. If your authorization model uses deny patterns to restrict subjects, those controls were not reliably applied. Audit your ACL configurations and update to v2.11.16 before anything else. This affects any multi-tenant or permission-isolated NATS deployment.

  • securityLeafnode ACL enforcement was incomplete — verify your leaf configs

    Inbound messages on leafnode connections were not always checked against ACL permissions. If you run leafnode-connected clusters with per-account or per-user authorization, treat this as a potential unauthorized data access vector. After upgrading, review leafnode user credentials and their associated permission sets.

  • breakingno_auth_user scope change may affect existing setups

    The no_auth_user option is now restricted to client connections only. If you had any tooling or configuration relying on no_auth_user applying to leafnode or other non-client connection types, those connections will now require explicit credentials. Test in staging before rolling this update to production leafnode infrastructure.

Key changes (5)
  • Queue subscriptions could bypass non-queue ACL deny rules — now fixed
  • Overlapping wildcard patterns in ACL deny blocks were not fully enforced — now corrected
  • no_auth_user restricted to client connections only (was previously broader)
  • Leafnode ACL enforcement fixed for all inbound message paths, plus a pre-CONNECT panic fix
  • WebSocket fast-path now correctly picks up WebSocket-specific no_auth_user when configured
Source

TiKV

Storage & DataApr 14, 2026

TiKV v8.5.6 brings column-level privileges, multi-dimensional slow query rules, shared locks for FK checks, and ~13 bug fixes including a memory leak in crossbeam skiplist and a rare pessimistic transaction data inconsistency.

  • securityColumn-level privileges close a data isolation gap — audit your schemas

    TiDB now supports MySQL-compatible column-level GRANT/REVOKE. If you've been relying on view-based workarounds to restrict access to sensitive columns (PII, financial data), you can now enforce this at the privilege layer instead. Audit tables that contain sensitive columns and apply least-privilege grants. This also means existing privilege audits may be incomplete — review user grants against newly exposed column-level controls.

  • breakingMigrate off Statistics Version 1 now — it's deprecated and removal is coming

    tidb_analyze_version=1 is deprecated in this release and will be removed in a future version. Run SHOW VARIABLES LIKE 'tidb_analyze_version' on all instances. If any are on v1, switch to v2 and re-run ANALYZE on affected tables. Version 2 produces more accurate histograms and is the only supported path going forward. Don't wait until the removal forces a rushed migration.

  • enhancementEnable shared locks for FK checks to cut contention in write-heavy workloads

    If you run high-concurrency INSERT/UPDATE on child tables with foreign key constraints pointing to a small set of parent rows, you're likely hitting exclusive lock contention today. Set tidb_foreign_key_check_in_shared_lock=ON and benchmark — shared locks on the parent table allow concurrent FK checks without blocking each other. Test in staging first, as this changes locking semantics. Also pick up the fix for the pessimistic transaction prewrite retry inconsistency (issue #11187) — worth verifying your TiKV nodes are on this patch if you run pessimistic workloads.

Key changes (6)
  • Column-level privilege management (GRANT/REVOKE on specific columns) now supported — closes a long-standing MySQL compatibility gap
  • New tidb_slow_log_rules variable enables fine-grained slow query logging by Query_time, Digest, Mem_max, KV_total across instance/session/SQL levels
  • Foreign key checks can now use shared locks (tidb_foreign_key_check_in_shared_lock=ON) to reduce contention in high-concurrency child-table writes
  • TiKV gains load-based compaction: detects MVCC read overhead and prioritizes compaction for hot Regions automatically
  • Statistics Version 1 (tidb_analyze_version=1) deprecated; TiDB Lightning Web UI deprecated and removed in v8.5.7
  • Critical bug fixes: crossbeam skiplist memory leak in TiKV, rare pessimistic transaction data inconsistency on prewrite retry, follower reads blocked on disk-full nodes
Source

wasmCloud

Orchestration & ManagementApr 14, 2026

v2.0.3 patches a NATS race condition, adds Kubernetes EndpointSlice support, hardens container security with non-root ownership, and expands Helm chart configurability.

  • securityUpgrade now: containers finally run as non-root by default

    Previous releases ran with root ownership, which is a container security red flag. This release sets non-root ownership by default. If you have volume mounts or init containers with root-dependent file permissions, test before rolling to production — you may need to adjust fsGroup or runAsUser settings in your pod specs.

  • breakingHelm chart image tag behavior changed — audit your values files

    The default image tag no longer falls back to a hardcoded value; it now uses the chart's appVersion. If you rely on overriding the tag in your values files, this likely works as-is. But if you were depending on the old default tag behavior for pinning, verify your deployed image versions after upgrading the chart.

  • enhancementEnable EndpointSlice support if running Kubernetes 1.21+

    EndpointSlice is the modern replacement for Endpoints and scales better with large service backends. If your cluster runs Kubernetes 1.21 or later, enable this feature — it reduces load on kube-apiserver and avoids the scaling limits of the classic Endpoints API. Check your Helm values for the new endpointslice configuration option.

Key changes (6)
  • Fixed a race condition in NATS subscriber initialization that could cause intermittent connection failures
  • Added Kubernetes EndpointSlice support for services — required for clusters with large service backends
  • Container ownership set to non-root, improving security posture out of the box
  • Helm chart now supports TLS configuration, custom annotations, and labels
  • Helm chart default image tag now derives from chart.yaml appVersion instead of a hardcoded value
  • WASIp3 support added behind a feature flag — experimental, not for production use yet
Source

OpenCost

ObservabilityApr 13, 2026

OpenCost v1.120.0 adds OVH cloud provider support, AWS CUR 2.0 compatibility, and fixes several resource leaks and bugs across AWS, DigitalOcean, and S3 integrations.

  • breakingCheck PV cost accuracy after upgrading — unit parsing was broken

    PV capacity was previously mishandled for Ki/Mi/Gi/Ti units, which means PV cost allocations may have been wrong in earlier versions. After upgrading, verify your PV cost data looks correct, especially if you were seeing anomalous persistent volume costs.

  • enhancementMigrate to AWS CUR 2.0 if you haven't already

    AWS is deprecating CUR 1.0 — this release adds CUR 2.0 support. If you're still on CUR 1.0 exports, now is the time to update your AWS billing export configuration and point OpenCost at the new format. Don't wait for AWS to force the migration.

  • enhancementSuppress noisy Spot feed warnings with the new toggle

    Teams not using AWS Spot instances were getting misleading log warnings about spot data feeds. You can now explicitly disable the Spot Data Feed via config. Set the toggle if you're not using Spot — it cleans up your logs and removes the misleading provider log noise fixed in this release.

Key changes (7)
  • New OVH cloud provider integration for cost tracking
  • AWS CUR 2.0 (Cost and Usage Report) support added
  • Memory leak fixed in Prometheus scrape target parsing
  • Plugin processes now properly killed on ingestor shutdown, preventing zombie processes
  • PV capacity parsing fixed to correctly handle Ki, Mi, Gi, and Ti units
  • Account field added to allocation data, cluster name added to CSV exports
  • Configuration toggle added to disable AWS Spot Data Feed when not in use
Source

Istio

Networking & MessagingApr 13, 2026

Istio 1.29.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Istio

Networking & MessagingApr 13, 2026

Istio 1.28.6 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Prometheus

ObservabilityApr 13, 2026

Prometheus v3.11.2 patches a stored XSS vulnerability (CVE-2026-40179) in the web UI, plus two Consul SD fixes. Upgrade immediately if your UI is exposed.

  • securityPatch CVE-2026-40179 immediately if your Prometheus UI is reachable

    A stored XSS can be triggered by crafted metric names or label values — meaning any scrape target you ingest data from could potentially inject malicious scripts into your UI. If your Prometheus endpoint is accessible to users beyond the ops team (internal dashboards, federated setups), treat this as urgent. Upgrade to v3.11.2 now. If you can't upgrade immediately, restrict UI access via network policy or auth proxy until you can.

  • breakingVerify Consul SD behavior after the Health API filter fix

    The filter parameter was previously applied incorrectly to the Consul Health API. After upgrading, your Consul service discovery results may change if you were relying on that filter — intentionally or not. Review your Consul SD configs and validate that the services being scraped post-upgrade match your expectations before rolling out to production.

  • enhancementUse `health_filter` in Consul SD to reduce noise from unhealthy services

    The new `health_filter` field lets you filter Consul Health API responses directly at the SD layer. If you've been working around this with relabeling rules to drop unhealthy instances, you can now clean that up. Set `health_filter` to `healthy` in your Consul SD config to only scrape passing services and reduce unnecessary target churn.

Key changes (3)
  • SECURITY: Stored XSS via unescaped metric names and label values in UI tooltips and metrics explorer — CVE-2026-40179
  • Consul SD: New `health_filter` field for fine-grained Health API filtering
  • Consul SD: Fixed a bug where the filter parameter was incorrectly applied to the Health API
Source

Prometheus

ObservabilityApr 13, 2026

Prometheus v3.5.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenTelemetry

ObservabilityApr 13, 2026

v0.150.0 is a maintenance release with targeted bug fixes: corrects the print-config unredacted output, redacts internal telemetry OTLP headers in marshaled config, and fixes a bounds-check crash in the debug exporter.

  • securityTelemetry exporter headers now redacted in marshaled config

    Internal telemetry OTLP exporter headers are now redacted when configuration is marshaled. If you log or store marshaled config output anywhere, headers (which may contain auth tokens) were previously exposed in plaintext. Upgrade and audit any stored config snapshots.

  • enhancementFix print-config unredacted mode to show defaults

    The print-config command's unredacted mode previously dropped all default-valued options from output. Fixed by introducing confmap.WithUnredacted MarshalOption. If your team uses print-config for auditing or debugging configuration, re-run it after upgrading — the output is now complete and trustworthy.

Key changes (5)
  • semconv package bumped from 1.38.0 to 1.40.0 across all components
  • debug exporter now guards against out-of-bounds profiles dictionary index access
  • pdata/pprofile creates a defensive copy when input is read-only
  • print-config --unredacted now correctly includes default-valued fields
  • Internal OTLP exporter headers are redacted when config is marshaled
Source

cert-manager

SecurityApr 11, 2026

Patch release fixing a Helm chart YAML generation bug when webhook.config and webhook.volumes are both set, plus Go 1.26.2 upgrade to address dependency vulnerabilities.

  • securityDependency vulnerabilities patched — upgrade to get the fixes

    The Go runtime and dependencies were bumped specifically to address reported CVEs. The release notes don't call out specific CVE IDs, but don't let that slow you down — cert-manager sits in a privileged position in your cluster handling certificate issuance, so keeping it current on security patches is non-negotiable. Schedule an upgrade in your next maintenance window.

  • breakingUpgrade immediately if you use both webhook.config and webhook.volumes

    If your Helm values set both webhook.config and webhook.volumes, the chart has been generating invalid YAML — meaning your webhook may have silently deployed with incorrect configuration. Upgrade to v1.20.2 and redeploy, then verify the webhook pod is running with the expected volume mounts and config.

Key changes (3)
  • Fixed invalid YAML output in Helm chart when both webhook.config and webhook.volumes are defined simultaneously
  • Go runtime bumped to 1.26.2
  • Go dependencies updated to resolve reported vulnerabilities
Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.37.2 is a patch release fixing three runtime bugs: a crash on listener removal, incomplete body forwarding in dynamic module filters, and a request hang on buffer overflow during internal redirects.

  • breakingUpgrade immediately if using process-level access log rate limiting

    If your Envoy config uses a process-level access log rate limiter and you perform any listener hot-reload or removal, you are hitting a crash path. This is not a low-probability edge case — listener removal happens during routine config updates via xDS. Upgrade to v1.37.2 before your next config push.

  • breakingCheck dynamic module filter pipelines for body truncation

    If you run dynamic module filters alongside other filters that buffer request or response bodies (e.g., ext_proc, gRPC transcoding, JWT body inspection), you may have been forwarding truncated payloads upstream or to clients without any error. Audit logs for unexpected body size mismatches and validate behavior in staging after upgrading.

  • breakingInternal redirect with large request bodies could hang — patch this now

    Any route config using internal redirects combined with upstream services that can trigger redirects on large POST/PUT bodies is a hang risk. The request stalls rather than returning an error, which means your upstream timeout is the only safety net. This is a silent reliability failure. Upgrade and consider temporarily tightening request buffer limits on affected routes as a short-term guard.

Key changes (5)
  • Crash fix: listener removal with a process-level access log rate limiter no longer causes a process crash
  • Dynamic module filters now correctly forward complete request/response bodies when adjacent filters perform buffering
  • Internal redirect buffer overflow no longer hangs the request indefinitely
  • Docker release images updated and corrected
  • Stats subsystem updates included
Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.36.6 is a patch release fixing two bugs: incomplete body delivery in dynamic module filters and a request hang when internal redirect triggers buffer overflow.

  • breakingUpgrade if you use dynamic module filters with buffering neighbors

    If your filter chain mixes dynamic module filters with any filter that buffers the body (e.g., ext_proc, grpc-web, or custom buffering filters), you were silently receiving incomplete bodies. This is a data-correctness bug, not just a performance issue. Upgrade to v1.36.6 immediately and validate that your dynamic modules are processing full payloads post-upgrade.

  • breakingInternal redirect + buffer overflow caused indefinite request hang

    Any deployment using internal redirects where the request body can exceed the configured buffer limit was exposed to hung requests — requests that never complete and hold connections open. This is particularly dangerous under load. Upgrade now; in the interim, consider raising buffer limits or disabling internal redirects if you're seeing stuck requests.

Key changes (3)
  • Dynamic module filters could pass truncated request/response bodies when neighboring filters buffered data — now fixed
  • Internal redirect with an overflowing request buffer could hang the request indefinitely — now resolved
  • Docker release images updated and corrected
Source

OpenFGA

SecurityApr 10, 2026

v1.14.1 patches a host-header poisoning vulnerability in AuthZEN discovery and removes a vulnerable Docker dependency, plus minor ListObjects performance gains.

  • securityPatch the AuthZEN host-header poisoning vulnerability now

    The AuthZEN well-known discovery endpoint was returning URLs built from the request's Host header. An attacker could poison this to redirect clients to a malicious endpoint. If you expose the AuthZEN discovery metadata publicly, upgrade to v1.14.1 immediately. No config change needed — the fix is automatic once upgraded, as long as authzen.baseURL is correctly set in your server config.

  • securityAudit your image builds if you ship the OpenFGA test binary

    The github.com/docker/docker package carries known CVEs and was only used in test code. Production builds are unaffected, but if your pipeline somehow includes test binaries or vendor directories in container images, verify they no longer include the vulnerable package after upgrading.

  • enhancementSet an explicit server shutdown timeout for Kubernetes workloads

    The new shutdown timeout config option lets you control how long OpenFGA waits to drain in-flight requests before exiting. Without this, abrupt shutdowns can cause request errors during pod restarts. Set this to slightly less than your Kubernetes terminationGracePeriodSeconds to ensure clean handoff.

Key changes (5)
  • Security fix: AuthZEN discovery metadata now uses configured baseURL instead of request-supplied host headers, closing a host-header poisoning attack vector
  • Removed vulnerable github.com/docker/docker test dependency, replaced with Moby client & API
  • Configurable server shutdown timeout added — useful for graceful drain in Kubernetes environments
  • ListObjects heap allocations reduced, yielding minor but real latency improvements
  • Cache key generation faster by dropping fmt usage and extending control-character sanitization to tuples, conditions, and context
Source

Dapr

Orchestration & ManagementApr 10, 2026

Dapr 1.17.4 patches seven bugs spanning workflow correctness, Pulsar OOM risk, actor freeze under placement pressure, and a Go stdlib security update. Deploy promptly if you use any of these features.

  • securityUpgrade immediately for Go stdlib CVE fixes

    Go 1.25.9 patches vulnerabilities in archive/tar, crypto/tls, crypto/x509, html/template, and the compiler. All Dapr binaries and Docker images are rebuilt with the patched toolchain. Update your Dapr runtime to 1.17.4 now — no config changes needed, just the version bump.

  • breakingPulsar processMode behavior has changed — validate your component config

    If you set processMode in Pulsar component YAML before this fix, it was silently ignored and you were running in default mode. After upgrading, the setting takes effect. If you had processMode: sync expecting ordered processing but were unknowingly running async, behavior will change. Also, async mode now caps concurrency at maxConcurrentHandlers (default 100). Review your Pulsar component metadata and test throughput behavior before rolling to production.

  • enhancementEliminate actor/workflow freeze risk from placement slowness

    The placement dissemination freeze bug could cause cascading health check failures during rolling updates — Kubernetes would declare pods unhealthy and restart them, worsening the cycle. With 1.17.4, a slow peer triggers reconnect rather than a fatal teardown. If you've seen unexplained actor hangs or zombie daprd processes during rollouts, this is likely the cause. No configuration change needed; upgrading is sufficient.

Key changes (5)
  • Pulsar pub/sub now correctly reads processMode from component YAML and enforces concurrency limits in async mode — previously this could OOM a pod under high message rates
  • Cross-app workflows no longer hang in PENDING when the target app is offline at startup; per-dispatch timeouts (2s) and pre-save logic prevent indefinite blocking
  • Workflow events are no longer silently lost or duplicated during ContinueAsNew under high event volume — state snapshot/restore and inbox replacement fix two root causes
  • A single slow sidecar can no longer freeze all actor and workflow operations cluster-wide; placement dissemination timeout now triggers reconnect instead of killing the placement subsystem
  • Scheduler pod restarts in multi-node clusters no longer stall all job triggers until an unrelated cluster event; each connector now retries independently
Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.35.10 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.34.14 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Helm

Kubernetes CoreApr 9, 2026

Security-only patch fixing a path traversal vulnerability in chart extraction. Upgrade immediately if you pull charts from untrusted sources.

  • securityPatch a chart extraction path traversal — upgrade now

    A crafted Chart.yaml using dot-segments (e.g., '..') in the chart name could cause Helm to write files outside the intended extraction directory. This is a classic directory traversal attack vector. If your pipelines pull charts from public repos, third-party registries, or any source you don't fully control, treat this as critical and upgrade to v3.20.2 today. Teams operating fully air-gapped with only internally authored charts have lower immediate risk, but should still upgrade on the next maintenance window.

Key changes (3)
  • GHSA-hr2v-4r36-88hr patched: malicious Chart.yaml with dot-segment names could collapse output directory paths during chart extraction
  • No functional changes — purely a security fix
  • Next patch releases (4.1.5 / 3.20.3) scheduled for April 8, 2026
Source

Linkerd

Networking & MessagingApr 9, 2026

Pure dependency maintenance release — proxy bumped to v2.348.0, multiple Go/Rust/JS deps updated. No feature changes or bug fixes to speak of.

  • securitylodash updated in web dashboard — low urgency, but worth knowing

    lodash went from 4.17.23 to 4.18.1. The Linkerd dashboard is typically internal-facing, so exposure is limited. Still, if your team audits frontend dependency CVEs, confirm this resolves any open advisories in your SBOM tooling.

  • enhancementProxy v2.348.0 — check the proxy changelog if you're chasing specific behavior

    The proxy is the only component here with potentially meaningful runtime changes. The release notes don't surface proxy-level details directly, so if you're tracking a specific fix or behavior change, pull up the linkerd2-proxy v2.348.0 release notes separately before promoting this edge build to production.

  • enhancementSkip this edge unless you need the proxy bump

    This is a housekeeping release. If you're already tracking edge builds for the proxy, upgrading is straightforward. For anyone evaluating edge-26.4.x for broader testing, there's no functional regression risk here, but also nothing compelling enough to rush an upgrade from edge-26.4.1.

Key changes (5)
  • Proxy updated to v2.348.0 (details in proxy changelog)
  • tokio runtime bumped from 1.50.0 to 1.51.1 (two hops in one release cycle)
  • gRPC-Go updated to 1.80.0
  • lodash bumped to 4.18.1 in the web dashboard
  • New destination controller API tests added for better regression coverage
Source

OpenFeature

CI/CD & App DeliveryApr 9, 2026

OpenFeature core/v0.15.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 9, 2026

OpenFeature flagd-proxy/v0.9.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 9, 2026

OpenFeature flagd/v0.15.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Falco

SecurityApr 9, 2026

Falco 0.43.1 is a minimal patch release bumping libs to 0.23.2 and the container plugin to 0.6.4. No functional changes, no bug fixes — purely a dependency update.

  • enhancementUpdate if you care about container plugin fixes in 0.6.4

    This release exists primarily to ship the container plugin 0.6.4 update alongside libs 0.23.2. If your environment relies on container metadata enrichment in Falco rules, check the container plugin 0.6.4 changelog for fixes that may affect your alerting fidelity. Otherwise, upgrading from 0.43.0 is low risk and low urgency — treat it as a routine dependency bump.

Key changes (4)
  • libs bumped from previous version to 0.23.2
  • container plugin bumped to 0.6.4
  • driver remains at 9.1.0+driver
  • single merged PR, all user-facing
Source

Helm

Kubernetes CoreApr 9, 2026

Helm v4.1.4 is a security-only patch fixing three vulnerabilities: chart extraction path traversal, plugin signature bypass, and plugin version path traversal enabling arbitrary file writes.

  • securityUpgrade immediately — all three CVEs are exploitable via untrusted input

    Two of these bugs (chart extraction collapse and plugin version path traversal) allow writing files to arbitrary locations on the filesystem. The third lets anyone install an unsigned plugin if they control the distribution channel. If your CI/CD pipeline pulls charts or plugins from external or semi-trusted sources, you are exposed on any Helm version before this patch. Upgrade to v4.1.4 (or v3.20.3 when released April 8) now. Don't wait for a maintenance window.

  • securityAudit your plugin sources before upgrading — unsigned plugins may have slipped through

    The provenance bypass (GHSA-q5jf-9vfq-h4h7) means any Helm installation that had plugin verification enabled could still have installed unsigned plugins if the .prov file was simply absent. Before upgrading, audit installed plugins with 'helm plugin list' and verify their origins manually. After upgrading, reinstall any plugins from official sources to ensure provenance is properly checked.

  • enhancementPin Helm in CI to this exact version now

    If you use a floating version reference like 'latest' or a minor-pinned tag in your CI pipeline, update it to v4.1.4 explicitly. The Helm team also pinned the CodeQL action to a commit SHA in this release — a good reminder to apply the same discipline to your own toolchain dependencies.

Key changes (4)
  • GHSA-hr2v-4r36-88hr: Malicious Chart.yaml names using dot-segments could collapse extraction paths outside intended directories
  • GHSA-q5jf-9vfq-h4h7: Missing .prov file caused plugin verification to fail open, allowing unsigned plugins to install silently
  • GHSA-vmx8-mqv2-9gmg: Plugin metadata version field accepted path traversal sequences, enabling arbitrary file writes outside the Helm plugin directory
  • No feature changes or behavioral additions — pure security fixes
Source

SPIRE

SecurityApr 8, 2026

SPIRE v1.14.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

SPIRE

SecurityApr 8, 2026

SPIRE v1.13.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Keycloak

SecurityApr 8, 2026

Keycloak 26.6.0 graduates several preview features to fully supported — JWT Authorization Grant, Federated Client Auth, Workflows, and zero-downtime patch releases — while fixing a notable set of security bugs across UMA, SCIM, and Organizations.

  • securityPatch SCIM and UMA vulnerabilities immediately

    Two separate SCIM bugs allowed IDOR-style resource modification and authorization bypass in group management. UMA permission grant accepted expired ID tokens and tokens issued to other clients. These are fixed in 26.6.0. If you use SCIM or UMA, upgrade now — no config change needed, but verify your SCIM plugin/extension is compatible with the new validation.

  • breakingSwitch to KCRAW_ prefix if secrets contain $ characters

    If you inject passwords or secrets via environment variables and they contain $ characters (e.g., from a secrets manager), the KC_ prefix silently mangles them via SmallRye expression evaluation. Use KCRAW_<KEY> instead of KC_<KEY> to preserve literal values. Audit your current env var injection before upgrading — any secrets with ${ or $$ patterns may have been silently broken in prior versions.

  • enhancementEnable zero-downtime rolling updates in your Operator deployments

    Zero-downtime patch releases are now on by default. If you run Keycloak via the Operator, explicitly set the update strategy to Auto to benefit. Also review the new graceful HTTP shutdown defaults (1s delay, 1s timeout) — adjust these upward if your reverse proxy takes longer to drain connections, especially in non-Kubernetes setups with longer-lived connections.

Key changes (7)
  • JWT Authorization Grant (RFC 7523) and Federated Client Authentication are now GA, enabling external-to-internal token exchange without managing per-client secrets
  • Zero-downtime patch releases are now enabled by default; Operator users should set update strategy to Auto
  • New KCRAW_ environment variable prefix prevents SmallRye from mangling passwords containing $ characters — addresses a silent data-corruption bug
  • UMA permission grant now rejects expired ID tokens and tokens issued to different clients (security fixes #46716, #46717)
  • SCIM IDOR bug fixed: PUT endpoint no longer allows resource modification via body ID override (#46658); SCIM authorization bypass in group management also patched (#47536)
  • OTP and password brute-force protection separated by default to prevent OTP bypass attacks (#46164)
  • Keycloak and KeycloakRealmImport CRDs promoted to v2beta1
Source

OpenFeature

CI/CD & App DeliveryApr 7, 2026

OpenFeature core/v0.15.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 7, 2026

OpenFeature flagd-proxy/v0.9.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 7, 2026

OpenFeature flagd/v0.15.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source
← NewerOlder →