RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Cilium

Networking & MessagingJun 16, 2026

Cilium v1.19.5 is a bugfix-heavy patch release addressing policy enforcement bugs, Gateway API panics, and load-balancer correctness issues. No CVEs, but several fixes warrant attention before upgrading.

  • breakingMigrate away from `l2podAnnouncements.interface` Helm value before upgrading

    The `l2podAnnouncements.interface` Helm key was removed because it wrote a configmap entry the agent no longer reads, causing crash-loops when L2 pod announcements are enabled. Before upgrading, check your Helm values for this key and replace it with `l2podAnnouncements.interfacePattern`. Clusters using the old key will fail to start after the upgrade.

  • breakingCheck CiliumEgressGatewayPolicy if you use NamespaceSelector

    A bug caused the NamespaceSelector field in CiliumEgressGatewayPolicy to be silently corrupted, making those rules ineffective. After upgrading to 1.19.5, verify that egress policies with NamespaceSelector are actually being enforced — traffic that was previously leaking may now be blocked.

  • enhancementVerify ipBlock network policies if you rely on selectorless rules

    A bypass was fixed where wildcard namespace selectors could skip ipBlock rules without a pod selector. If you have CiliumNetworkPolicies using ipBlock without explicit namespace selectors, review them post-upgrade to confirm enforcement behavior matches your intent — the fix may change observed traffic patterns.

Key changes (5)
  • Fixed wildcard namespace bypass for selectorless ipBlock rules — network policy was not enforced correctly in some cases
  • Removed defunct `l2podAnnouncements.interface` Helm value; clusters using it will crash-loop unless migrated to `interfacePattern`
  • Fixed CiliumEgressGatewayPolicy NamespaceSelector corruption that silently rendered egress policies ineffective
  • Fixed node connectivity disruption when ClusterIP/LoadBalancer VIPs overlapped with node-local IPs
  • Load-balancing backend internals refactored to handle thousands of services sharing a backend without performance degradation
Source

Cilium

Networking & MessagingJun 16, 2026

Cilium 1.18.11 is a patch release focused on stability, fixing memory leaks, socket handling crashes, and Gateway API routing bugs. No breaking changes; safe to adopt for teams running 1.18.x in production.

  • securityApply patch if you see agent crashes in socket handling

    Cilium 1.18.11 fixes a nil pointer dereference in filterAndDestroySockets that could crash the agent. If you have seen sudden agent pod restarts or panic logs mentioning socket filtering, upgrade promptly. This is a stability issue that affects 1.18.10 and earlier.

  • breakingVerify MTU settings on non-Cilium interfaces after upgrade

    1.18.11 changes MTU handling to skip interfaces not managed by Cilium. If your infrastructure depends on Cilium adjusting MTU on external interfaces (e.g., host-managed veth pairs), test this upgrade in a staging environment first. Mark interfaces with altname to ensure they are recognized as Cilium-owned; otherwise, MTU will not be modified.

  • enhancementAdopt if running Kubernetes Gateway API with TLS routes

    This patch fixes two distinct bugs in Gateway API support: weighted backend routing for TLSRoute passthrough and mixed listener handling. If you use Gateway API with TLS termination or passthrough, this upgrade eliminates silent routing failures. No configuration changes needed; test existing Gateway API resources in a staging cluster first.

Key changes (5)
  • Fixed memory leak in StateDB watch channel hash map reuse for large transactions
  • Corrected weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API
  • Fixed nil pointer dereference in socket filtering code that could crash the agent
  • Fixed MTU change behavior to only affect Cilium-managed interfaces, skipping others
  • Improved troubleshoot commands to report more kvstore and clustermesh diagnostic data
Source

Cilium

Networking & MessagingJun 16, 2026

Cilium v1.17.17 is a patch release fixing CiliumNode retry logic in multipool, improving troubleshoot command output, and updating dependencies. Primarily maintenance-focused with no breaking changes.

  • enhancementTest multipool deployments after upgrade

    Cilium v1.17.17 fixes a retry mechanism for CiliumNode lookups that was causing intermittent failures in multipool setups. If you run multi-pool IP allocation (multiple resource pools per cluster), test pod scheduling and IP assignment post-upgrade to confirm the fix resolves any flapping you observed.

  • enhancementUse enhanced troubleshoot output for cluster diagnosis

    The troubleshoot kvstore and clustermesh commands now report more diagnostic details. When investigating kvstore or clustermesh connectivity issues, re-run these commands after upgrading—the richer output will likely surface root causes faster than before.

  • enhancementCheck Envoy proxy behavior after updating to v1.37.x

    The bundled Envoy proxy jumps to v1.37.x in this patch. Review Envoy release notes for v1.37.x for any behavioral changes in HTTP/2, load balancing, or observability that might affect your traffic patterns. No action required unless you rely on specific Envoy 1.36.x behavior.

Key changes (4)
  • CiliumNode Get errors now retry correctly in multipool environments, fixing potential connectivity gaps
  • Troubleshoot kvstore and clustermesh commands report additional diagnostic information
  • Envoy proxy bumped to v1.37.x; Helm charts now support registry prefix override
  • Dependency updates: Go packages, Kubernetes utilities, and Ubuntu base image refreshed
Source

Flatcar Container Linux

Provisioning & RuntimeJun 16, 2026

Flatcar stable-4593.2.3 ships Linux 6.12.93 with eight kernel CVE patches and adds NVMe/TCP support for NVMe-oF storage backends.

  • securityPatch eight kernel CVEs — update nodes now

    This release fixes eight Linux kernel CVEs. Details on severity are not yet in NVD for these 2026-prefixed IDs, but any kernel CVE batch warrants prompt node rotation. If you run Flatcar on bare metal or cloud VMs, schedule a node drain-and-replace cycle soon — do not wait for the next maintenance window if these IDs affect your kernel subsystems.

  • enhancementNVMe/TCP opens up NVMe-oF storage backends

    NVMe over Fabrics via TCP is now available in the kernel module set. If your storage team uses NVMe-oF targets (e.g., disaggregated storage arrays or SPDK-based backends), Flatcar nodes can now connect without a custom kernel build. Test in staging before relying on this in production — confirm the nvme-tcp module loads correctly on your target image.

Key changes (3)
  • Eight Linux kernel CVEs patched (CVE-2026-46323, -46315, -46275, -46244, -46243, -46322, -46321, -46316)
  • Kernel updated to 6.12.93 (includes 6.12.92 changes)
  • NVMe/TCP support added, enabling NVMe over Fabrics storage connectivity
Source

Dapr

Orchestration & ManagementJun 16, 2026

Dapr v1.18.1 is a focused bug-fix release for the workflow engine, patching five issues including reminder leaks, permanent sidecar unavailability after config reload, and stuck workflows.

  • breakingHelm users: workflow concurrency limits were silently ignored before this release

    If you set globalMaxConcurrentWorkflowInvocations, globalMaxConcurrentActivityInvocations, or the per-name limit fields on a Configuration resource and installed via Helm, those limits were never enforced. After upgrading to 1.18.1 the CRD schema is correct and limits will actually take effect. Review your configured values before upgrading in production — limits that were previously ignored will now be applied, which could throttle throughput if the values are too conservative.

  • enhancementUpgrade if you run agentic or long-running loop workflows

    Three bugs in this release specifically affect workflows that loop via ContinueAsNew or repeatedly await the same external event name — patterns common in agentic workloads. The reminder leak accumulates garbage reminders over a workflow's lifetime; the ContinueAsNew deadlock causes indefinite hangs with no timeout or error. Both are fixed here. If you see workflows stuck in RUNNING or observe spurious wake-ups in loop workflows, upgrade to 1.18.1.

  • enhancementConfig hot-reload now works reliably for workflow sidecars

    Before this fix, any SIGHUP-triggered config reload on a sidecar hosting workflow workers could permanently break the sidecar — port 50001 stops accepting connections and the only recovery was a pod restart. This is now fixed. If your team uses config hot-reload in any workflow-hosting deployment, 1.18.1 should be treated as a required upgrade.

Key changes (5)
  • Workflow timer reminders no longer leak when the same external event name is awaited multiple times in a loop
  • Config hot-reload (SIGHUP) no longer leaves workflow sidecars permanently stuck — streaming workers now close cleanly on shutdown
  • Sidecars no longer restart on Kubernetes operator resync events that carry no actual config change
  • Child workflow completions crossing a ContinueAsNew boundary no longer cause parent workflows to hang forever in RUNNING state
  • Helm chart CRD for Configuration now includes the workflow/activity concurrency limit fields introduced in v1.18.0
Source

Linkerd

Networking & MessagingJun 16, 2026

Linkerd edge-26.6.2 patches policy and profile validation bugs, tightens namespace restrictions on external workloads, and upgrades to Envoy proxy v2.357.0 with unified failure accrual tuning.

  • securityProfile validation now rejects nil configs

    The nil check in profile validation closes a path to crashes on malformed configs. No immediate action needed, but if your automation generates profiles programmatically, ensure they always have valid structure before applying them.

  • breakingNamespace-restricted external workloads may affect routing

    External workloads and endpoints now honor namespace boundaries. If you cross namespaces with external workloads in your Linkerd setup, verify routing still works after upgrade. Update any policies that rely on previous (unrestricted) cross-namespace access.

  • enhancementTune load balancing with unified failure accrual

    Unified failure accrual and response-penalty load biasing gives you finer control over how proxies handle slow or failing endpoints. Test this in a canary namespace first—adjust failure thresholds and penalty weights to match your SLOs. Check Linkerd docs for new policy knobs.

Key changes (5)
  • Policy validation: removed inappropriate AuthN policy check; corrected typos in outbound index rules.
  • Profile validation: added nil check to prevent crashes during validation.
  • Namespace isolation: external workloads and endpoints now respect namespace boundaries to prevent cross-namespace leakage.
  • Load balancing: unified failure accrual and response-penalty biasing in policy engine.
  • Proxy upgrade: Envoy v2.357.0; Go 1.25.11 for build.
Source

Dapr

Orchestration & ManagementJun 15, 2026

Dapr 1.17.10 fixes a bug where resiliency retry policies with `matching` rules on pubsub publish operations were silently ignored, causing terminal errors to be retried unnecessarily. Teams using pubsub with resiliency retry configuration should upgrade to enforce intended retry behavior.

  • breakingRetry behavior change for pubsub publish errors

    If you have resiliency policies with `matching` rules targeting pubsub outbound retry, publish errors will now be classified correctly and non-retriable errors will stop retrying immediately instead of exhausting maxRetries. Verify your resiliency configuration expectations: terminal errors (e.g., 401 Unauthorized, 404 Not Found) will no longer consume retry attempts. If your application relied on the old behavior of always retrying publish, adjust your retry policy or remove the `matching` constraint.

  • enhancementEnforce resiliency policy intent for pubsub

    Upgrade to 1.17.10 if you've configured resiliency policies with explicit `matching` codes for pubsub publish — your configuration will now work as intended. This brings pubsub publish in line with service invocation, output bindings, and other operations that already respect retry `matching`. No code changes needed; the fix is transparent.

Key changes (3)
  • Resiliency retry `matching` (httpStatusCodes/gRPCStatusCodes) is now respected on pubsub Publish and BulkPublish operations
  • Publish errors are now wrapped in resiliency.CodeError when they carry gRPC status, matching behavior in other policy runners
  • Terminal pubsub errors (invalid topic, unauthorized) now fail fast instead of retrying up to maxRetries
Source

Dapr

Orchestration & ManagementJun 15, 2026

Dapr 1.16.16 fixes two downgrade-specific bugs: Sentry certificate signing failures after a 1.18→1.16 rollback, and Helm StatefulSet storage conflicts when downgrading from 1.17/1.18.

  • breakingFollow specific Helm flags when downgrading to 1.16.16

    Use --reset-values and explicitly pass the original install values. Do NOT use --reuse-values — it carries over 1.17/1.18 chart defaults that are invalid in 1.16, including placement disseminateTimeout=8s (1.16 only accepts 1s–3s), which will cause placement to fail at startup. If you skipped deleting the scheduler StatefulSet before downgrading, you may still need to pass --set dapr_scheduler.cluster.storageSize=<current size> or delete the StatefulSet with --cascade=orphan.

  • breakingClusters downgraded from 1.18 to 1.16 need this patch to fix Sentry

    If you rolled back from Dapr 1.18 to any earlier 1.16.x release, Sentry is likely crashing on startup due to the Ed25519/ECDSA key type mismatch in the trust bundle. Upgrade to 1.16.16 to resolve it — no manual certificate rotation is required after upgrading.

Key changes (4)
  • Sentry no longer crashes when the trust bundle was generated by a newer Dapr version using a different key type (Ed25519 vs ECDSA)
  • Certificate template no longer copies SignatureAlgorithm from the CSR; Go's x509 library now infers it from the issuer key
  • Helm chart backports the storageSize template helper that reads the live StatefulSet value, preventing immutable field conflicts on downgrade
  • Fresh installs fall back to .Values.cluster.storageSize (default 1Gi) as before
Source

KServe

AI & MLJun 14, 2026

KServe v0.19.0 is a large release focused heavily on LLMInferenceService (LLMISvc) maturity: better observability, autoscaling, routing, and a migration path for llm-d v0.6 upgrades. Two CVEs are patched.

  • securityPatch two CVEs before upgrading or apply independently

    v0.19.0 patches a vLLM/Pillow CVE and pins azure-core>=1.38.0 for CVE-2026-21226. If you are running KServe with vLLM runtimes or azure-core dependencies, upgrade to v0.19.0 or manually apply the azure-core pin to your environment. Check your current Pillow version in custom server images as well.

  • breakingRouter splitter off-by-one fix changes traffic split behavior

    The pickupRoute random range had an off-by-one error. After upgrading, traffic percentages in InferenceService splitter configurations will be computed correctly, which means observed traffic distribution will shift if your weights were tuned around the buggy behavior. Verify split configurations in staging before rolling to production.

  • enhancementLLMISvc autoscaling and status visibility are now production-ready

    HPA/KEDA scaling conditions are now visible in LLMISvc status, and readiness transitions emit k8s events. If you are operating LLMInferenceService, add these conditions to your monitoring dashboards and alerting. The --scaling flag in kserve-install.sh simplifies enabling autoscaling during fresh installs.

Key changes (7)
  • CVE fixes: vLLM setup and Pillow vulnerability patched; azure-core pinned to >=1.38.0 to address CVE-2026-21226
  • LLMInferenceService gets HPA/KEDA scaling status bubbled up to service conditions, autoscaling e2e tests, and a --scaling flag in kserve-install.sh
  • New LLMISvc observability: k8s events on readiness transitions, routing topology in status, workload references in status, ConfigNotFound condition surfaced
  • Dual-protocol (REST/gRPC) routing added for InferenceService Standard mode
  • Off-by-one bug fixed in the router splitter's pickupRoute random range — affects traffic splitting correctness
  • LocalModelCache support added for LLMInferenceService; NodeSelector fix for jobs to fix PVC access
  • Migration logic added for llm-d v0.6 component upgrades
Source

Helm

Kubernetes CoreJun 12, 2026

Helm v4.2.1 fixes data races in concurrent operations, corrects output routing for command messages, and resolves version constraint parsing issues that caused false negatives.

  • breakingVerify output parsing in automation after upgrade

    Helm command success messages now correctly write to stdout instead of stderr. If your CI/CD pipelines, monitoring, or shell scripts redirect or filter Helm output by stream, they may behave unexpectedly. Check any grep, tee, or output capture logic that assumes helm writes to stderr. Most scripts should work unchanged, but streaming-dependent logic needs review.

  • enhancementUse version range constraints without workarounds

    Helm 4 previously rejected or warned about valid version range constraints like prerelease versions and missing spaces (e.g., 'v1.0.0||v1.1.0'). This is now fixed. If you've avoided version ranges or used pinned versions as a workaround, you can now adopt constraint-based version selection, which simplifies dependency management in large deployments.

  • enhancementUpgrade to get concurrent operation stability

    Multiple race conditions in concurrent goroutines (upgrade + rollback, install + uninstall on the same client, and WaitForDelete timing) are now fixed. Teams running high-concurrency Helm operations (e.g., multi-chart deployments, parallel reconciliation loops, or large test suites) should upgrade to eliminate intermittent failures. This is particularly important if you see flaky test results in your CI pipeline.

Key changes (5)
  • Fixed data race in GetWaiterWithOptions when concurrent upgrade/rollback and install/uninstall operations target the same FailingKubeClient instance
  • Corrected helm command output routing: success messages now write to stdout instead of stderr
  • Fixed Helm 4 false negatives when parsing version range constraints (e.g., prerelease versions, missing spaces in || operator)
  • Patched WaitForDelete race condition where status observer canceled watches prematurely, causing intermittent test failures
  • Updated dependencies: cli-utils 1.2.1, controller-runtime 0.24.1, k8s 1.36.1, and golang.org/x/net v0.55.0 (GO-2026-5026)
Source

Helm

Kubernetes CoreJun 12, 2026

Helm v3.21.1 fixes a nil pointer panic in template operations and updates dependencies. A straightforward patch for stability.

  • securityUpgrade for Go security patch GO-2026-5026

    golang.org/x/net was bumped to v0.55.0 to fix GO-2026-5026. This is a supply-chain dependency, not directly exposed in Helm's API. Upgrade if your security scanning flags net vulnerabilities. No action needed if you're just using Helm normally—the fix is built in.

  • breakingClientOnly template operations now error correctly instead of panicking

    Helm template commands executed without cluster access (ClientOnly mode) previously crashed with nil pointer panics. v3.21.1 returns proper template errors instead. If you have automation that catches panics, update error handling to expect typed template errors. Test your template workflows before production rollout.

  • enhancementRegistry credentials now persist through HTTP fallback

    Registry operations now keep credentials when falling back from HTTPS to plain HTTP, thanks to oras-go v2.6.1. If you use private registries with HTTP-only endpoints, this improves reliability. No configuration change needed; the fix is automatic.

Key changes (3)
  • Fixed nil pointer panic in helm template when running in ClientOnly mode (no Kubernetes cluster)
  • Preserved registry credentials on plain-HTTP fallback via oras-go v2.6.1 update
  • Bumped Go to 1.26 and golang.org/x/net to v0.55.0 to address GO-2026-5026
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.36.2 is a patch release fixing critical bugs in Dynamic Resource Allocation (DRA) scheduler, CSI volume republishing, and endpoint controller, plus a Go 1.26.4 build update.

  • securityBinary non-UTF8 Secret data in container env vars now handled correctly

    Kubernetes 1.34+ had a regression where containers could not properly read environment variables set from Secret API objects containing binary non-UTF8 data. This is fixed in 1.36.2. If your workloads use non-text Secret data in environment variables, upgrade to prevent decode errors or silent failures.

  • breakingDRA device allocation bug affects multi-device workloads

    Kubernetes 1.36.0–1.36.1 has a scheduler bug that assigns mutually exclusive device partitions to multiple Pods when drivers use SharedCounters with multi-allocatable devices. This can cause workload failures, device conflicts, crashes, or data loss. If you use DRA with multi-allocatable devices (especially GPUs or custom accelerators with shared counters), upgrade to 1.36.2 immediately. Review recent Pod scheduling decisions for conflicts.

  • enhancementCSI volume republish failures no longer corrupt mount state

    Kubelet was incorrectly deleting CSI mount directories when periodic NodePublishVolume calls (triggered by requiresRepublish=true) failed, leaving pods with stale volume content. This is fixed in 1.36.2. If you run CSI drivers with requiresRepublish=true, this patch eliminates a data consistency risk—upgrade to prevent potential data issues on transient network or storage errors.

Key changes (7)
  • Built with Go 1.26.4 for improved runtime stability
  • Fixed DRA scheduler bug that could assign mutually exclusive device partitions to multiple Pods, risking workload failures or data loss
  • Fixed kube-scheduler panic when DRA ResourceClaim with allocationMode: All selects shared counter devices
  • Fixed kubelet incorrectly deleting CSI mount directories on periodic NodePublishVolume errors, leaving stale volume content
  • Fixed regression where suspended Job spec modifications were rejected if JobSuspended condition was not yet set
  • Fixed endpoint controller panic on services with empty IPFamilies field
  • Fixed container environment variable handling for binary non-UTF8 data from Secrets
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.35.6 fixes critical issues in pod scheduling with multi-node claims, DRA device selection, CSI volume republishing, and endpoint handling; includes a Go runtime upgrade and performance improvements.

  • securitySecret binary data in environment variables now handled correctly

    A 1.34+ regression broke environment variable injection from Secrets containing non-UTF8 binary data (e.g., certificates, keys in base64-encoded Secrets). If you inject Secrets as env vars and those Secrets contain binary data, upgrade to v1.35.6. Test this quickly if you run database credentials or keys via Secrets—the bug may have silently broken injection.

  • breakingUpgrade Go runtime to 1.25.11 in your build pipeline

    Kubernetes v1.35.6 is built with Go 1.25.11. If you run custom controllers or operators on the same Go version, verify compatibility and rebuild. If your CI/CD locks Go versions, update your build configuration. This is standard but must be done; old Go versions may have security gaps you're inheriting.

  • enhancementDRA scheduling and CSI republishing now reliable for dynamic resource allocation

    Three bugs are fixed: (1) scheduler no longer panics on DRA ResourceClaim with AllocationMode All and shared counters; (2) pods using multi-node and per-node claims no longer deadlock in Pending; (3) kubelet no longer deletes CSI mount directories on transient NodePublishVolume errors, preventing stale volume data. If you use DRA (dynamic resource allocation) or CSI with republish enabled, this release eliminates previously deadlocking scenarios. Upgrade to clear stuck pods and prevent future hangs.

Key changes (6)
  • Upgraded to Go 1.25.11 for runtime stability and security patches
  • Fixed pod scheduling deadlock when using both multi-node and per-node DRA claims
  • Fixed kube-scheduler panic with DRA ResourceClaim AllocationMode consuming shared counters
  • Fixed kubelet deleting CSI mount directories on periodic NodePublishVolume failures, causing stale volumes
  • Fixed endpoint controller panic on services with empty IPFamilies field (pre-dual-stack services)
  • Fixed environment variable handling for Secret objects containing binary non-UTF8 data
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.34.9 fixes volume handling in CSI mounts, binary secret data in containers, endpoint controller panics, and kubeadm certificate handling. Go 1.25.11 build improves runtime performance.

  • breakingUpgrade kubelet if running CSI drivers with requiresRepublish enabled

    A 1.34+ regression caused kubelet to delete CSI mount directories on republish failures, stranding pods with stale volume data. If you run CSI drivers with spec.requiresRepublish=true, upgrade immediately. Check your CSI driver specs and watch for failed republish attempts in kubelet logs before upgrading to confirm you hit this bug.

  • breakingTest binary Secret injection in container environment variables

    v1.34 broke environment variable parsing for containers referencing Secrets with binary (non-UTF8) data. If your workloads inject Secret data into environment variables, test them after upgrading. Check application startup logs for parsing errors; you may need to base64-encode binary Secret values instead.

  • enhancementUpdate Go runtime for performance and security

    v1.34.9 uses Go 1.25.11, which includes runtime optimizations and security patches. Upgrade when you next rotate your control plane and worker nodes. No code changes needed on your side, but the Go update may improve latency and reduce memory usage in your cluster.

Key changes (5)
  • Kubernetes now built with Go 1.25.11 for improved performance and security patches
  • Fixed kubelet CSI mount directory deletion that left pods with stale volume contents after republish errors
  • Fixed panic in endpoint controller when processing services with empty IPFamilies field
  • Fixed regression in container environment variable parsing when values reference Secrets containing binary non-UTF8 data
  • Kubeadm certificate dry-run mode now correctly copies existing CA files
Source

Kubernetes

Kubernetes CoreJun 12, 2026

Kubernetes v1.33.13 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Dapr

Orchestration & ManagementJun 11, 2026

Dapr 1.16.15 fixes a sentry crash that blocks all mTLS identity issuance when the issuer key is Ed25519 or RSA — directly relevant to anyone who downgraded from 1.18 or rotated their issuer key type.

  • breakingUpgrade to 1.16.15 if you downgraded from 1.18 or rotated your issuer key

    If your 1.16 control plane has an Ed25519 or RSA issuer key in the dapr-trust-bundle secret — which happens automatically after a 1.18 downgrade — dapr-sentry crash-loops and no new mTLS certificates are issued. Existing sidecars with unexpired certs keep working, but any pod restart or cert expiry will cause identity failures. Upgrade to 1.16.15 immediately. If you cannot upgrade right now, the only workaround is to replace the issuer key in dapr-trust-bundle with an ECDSA P-256 key.

Key changes (5)
  • dapr-sentry crashes on startup with 'unsupported key type' when the trust bundle contains an Ed25519 or RSA issuer key
  • Root cause: dapr/kit's EncodePrivateKey only matched *ecdsa.PrivateKey and *ed25519.PrivateKey (pointer form), missing the value-type Ed25519 and RSA entirely
  • Fix: dapr/kit v0.16.3 now handles ed25519.PrivateKey (value), *rsa.PrivateKey, and *ecdsa.PrivateKey via PKCS#8 round-trip
  • Affects 1.16 clusters downgraded from 1.18, or any 1.16 deployment where the issuer key was manually rotated to Ed25519 or RSA
  • While sentry is crash-looping, sidecars with valid unexpired certs keep running, but any fresh start or cert rotation fails
Source

Falco

SecurityJun 11, 2026

Falco 0.44.1 adds BPF iterator control and fixes multiple BPF-related issues via a libs bump. Minimal release focused on stability for deployments using kernel-level tracing.

  • breakingUpdate libs and kernel driver together

    This release bumps libs to 0.25.4 and driver to 10.2.0+driver. If you pin kernel driver versions separately from Falco, ensure you update both in the same maintenance window. Mismatched versions can cause syscall capture failures or silent data loss.

  • enhancementControl BPF iterator behavior if you hit performance or compatibility issues

    Falco 0.44.1 introduces a config option to disable BPF iterators. If you run Falco on kernels with problematic BPF iterator implementations or see high CPU usage tied to iterator overhead, test disabling them. Check your Falco logs and metrics after upgrading to confirm the fix resolves any BPF-related instability you were seeing in 0.44.0.

Key changes (3)
  • Add disabling option for BPF iterators in userspace Falco configuration
  • Bump libs to 0.25.4 and driver to 10.2.0+driver to resolve BPF iterator bugs
  • Support for both x86_64 and aarch64 packages across rpm, deb, and tgz formats
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.38.2 is a small patch release: one RTDS runtime bug fix and two opt-in HTTP/2 cookie observability features. No security fixes.

  • breakingRTDS runtime guard fix changes delete behavior — verify your override logic

    If your config management deletes RTDS runtime guard overrides expecting them to revert to default, prior behavior was broken and left stale values. After upgrading to v1.38.2, deletes will now correctly restore defaults. Test any automation that removes runtime overrides to confirm it behaves as intended.

  • enhancementUse new HTTP/2 cookie size limit to guard against oversized headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag lets you cap the reassembled cookie header size in HTTP/2. If your deployment handles untrusted upstream or downstream traffic with large cookie headers, set an explicit limit to reduce memory pressure. The default is unlimited, so this is opt-in.

Key changes (3)
  • RTDS runtime fix: deleting a runtime guard override now correctly restores the default value instead of leaving stale state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length/count) via envoy.reloadable_features.http2_record_histograms — temporary, will be removed in a future release
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.37.4 is a small patch with one RTDS bug fix and two opt-in HTTP/2 cookie-related observability/safety features. No security CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard state

    If your deployments rely on RTDS to manage runtime guard overrides, the old behavior left stale override values after deletion. The fix now restores the process-wide default. Check that your expected default values are actually what you want after an override is removed, especially if you were working around the old broken behavior.

  • enhancementUse the new cookie size limit to protect against oversized cookie headers

    HTTP/2 reassembled cookie headers had no size cap before this release. If you proxy untrusted HTTP/2 clients, set envoy.reloadable_features.http2_max_cookies_size_in_kb to a reasonable limit (e.g., 32–64 KB) to prevent unexpectedly large cookie payloads from reaching upstreams. The default remains unlimited, so this requires an explicit opt-in.

  • enhancementEnable HTTP/2 header histograms in staging to baseline your traffic

    The new envoy.reloadable_features.http2_record_histograms flag adds histograms for header count, map byte size, and cookie metrics. These are useful for understanding HTTP/2 header pressure in your fleet. Enable in a non-production environment first — note these metrics will be removed in a future Envoy release, so don't build long-term dashboards around them.

Key changes (4)
  • RTDS bug fix: deleting a runtime guard override now correctly falls back to the process-wide default instead of leaving a stale value
  • New opt-in HTTP/2 header histograms (header count, byte size, cookie length/count) — enable via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
  • HTTP/2 header histograms are explicitly temporary — they will be removed in a future release
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.36.8 is a minor patch with one bug fix and two opt-in HTTP/2 observability features. No breaking changes or CVEs.

  • breakingHTTP/2 header histograms are temporary — don't build dashboards on them

    The new http2_record_histograms feature and its runtime guard are explicitly scheduled for removal in a future Envoy release. If you enable them for debugging HTTP/2 header issues, treat the resulting metrics as short-lived. Don't wire them into permanent dashboards or alerts that would break on upgrade.

  • enhancementEnable HTTP/2 header histograms if you're debugging large header or cookie payloads

    If you're seeing unexpectedly large HTTP/2 requests or cookie-related issues, flip envoy.reloadable_features.http2_record_histograms to get histograms on header entry count, byte size, and cookie metrics. Pair this with envoy.reloadable_features.http2_max_cookies_size_in_kb to enforce a hard cap on reassembled cookie header size — useful if you need to protect upstream services from oversized cookie headers.

Key changes (4)
  • RTDS runtime guard override deletion now correctly restores the process-wide default value instead of leaving it in a broken state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) enabled via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size; no limit enforced by default
  • HTTP/2 histograms and their runtime guard are explicitly temporary — they will be removed in a future release
Source

Dapr

Orchestration & ManagementJun 10, 2026

Dapr 1.18 is a large release centered on workflow security and durability (tamper detection, access policies, history propagation, concurrency limits), with Jobs API and HotReload graduating to GA and several breaking changes requiring pre-upgrade review.

  • securityEnable WorkflowAccessPolicy in shared or multi-tenant clusters

    Before 1.18, any caller in the same trust domain could schedule, terminate, or query any other app's workflows. The new WorkflowAccessPolicy CRD lets you lock this down per-operation with glob-pattern rules. The default is still open (no policy = all calls allowed), so existing deployments are unaffected — but teams running shared clusters should define policies now. Also: redis common components previously skipped TLS cert verification unconditionally; this is fixed in 1.18, so verify your Redis TLS config is correct before upgrading.

  • breakingDo not roll back from 1.18 directly to 1.17.6 or earlier

    Sentry 1.18 writes an Ed25519-keyed CA into the dapr-trust-bundle secret. Any Sentry version before 1.17.7 cannot parse this and will crash-loop, blocking all new certificate issuance. Before upgrading, confirm your rollback target is 1.17.7+. If you need to go below 1.17.7, downgrade to 1.17.7 first, stabilize, then continue. Also audit any code that relied on silent workflow ID reuse — it now gets a hard conflict error.

  • breakingHop-by-hop headers stripped on service invocation — check your apps

    Standard HTTP hop-by-hop headers (Connection, Keep-Alive, Transfer-Encoding, etc.) are now stripped during service invocation per RFC 7230. Any app relying on these headers passing through will silently break. Audit service invocation call sites and move to non-hop-by-hop equivalents before upgrading.

  • enhancementEnable workflow history signing for audit-sensitive workloads

    Workflow history signing is opt-in and disabled by default. It requires mTLS to be active. Before turning it on cluster-wide, let any in-flight unsigned workflows complete or purge them — enabling signing on a workflow that started unsigned is a hard verification error with no catch-up path. Once enabled, a tampered workflow is terminated and flagged with DAPR_WORKFLOW_HISTORY_TAMPERED, leaving the original state intact for forensic review. Good candidate for compliance-sensitive or multi-tenant workflow deployments.

Key changes (7)
  • Sentry now generates Ed25519 workload identity keys — rollback floor is 1.17.7; rolling back to 1.17.6 or earlier crashes Sentry
  • WorkflowAccessPolicy CRD added for per-operation allow-list access control between apps; default is open (no policy = all allowed)
  • Workflow history signing added (opt-in, one-way) for tamper detection via chained SPIFFE-signed event batches
  • HotReload is now GA and on by default — Components, Subscriptions, Configurations, Resiliencies, and more reload without sidecar restart
  • Jobs API graduates to stable; alpha RPCs deprecated but still functional — migrate app code to ScheduleJob/GetJob/DeleteJob
  • Workflow ID reuse semantics changed: creating a workflow with an existing active instance ID now returns a conflict error instead of silently overwriting
  • Java SDK minimum version bumped to Java 17; Spring Boot baseline moves to 3.5
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.35.12 is a minor patch with one runtime bug fix and two opt-in HTTP/2 cookie/header observability features. No breaking changes or CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard defaults

    If you rely on RTDS to manage runtime guard overrides, test this fix in staging. Previously, deleting an override left the old value active; now it resets to the process default. Any automation that deleted overrides expecting them to persist will behave differently.

  • enhancementUse the new HTTP/2 cookie size limit to guard against oversized cookie headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag is off by default. If your deployments accept untrusted HTTP/2 traffic, consider setting a reasonable limit to bound memory usage from reassembled cookie headers. Pair it with the new histograms to first measure your actual cookie sizes before choosing a cap.

Key changes (3)
  • Runtime bug fix: deleting an RTDS runtime guard override now correctly restores the process-wide default, instead of leaving the previous override in place.
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) via envoy.reloadable_features.http2_record_histograms — note these will be removed in a future release.
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb lets you cap the size of the reassembled cookie header; no limit is enforced by default.
Source

Backstage

CI/CD & App DeliveryJun 10, 2026

Backstage v1.51.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Chaos Mesh

ObservabilityJun 10, 2026

Chaos Mesh v2.8.3 is a security-focused patch: critical/high CVEs addressed via Go 1.25.11 and containerd 1.7.32 upgrades, plus a NetworkChaos recovery bug fix.

  • securityUpgrade to v2.8.3 to patch critical/high CVEs

    The Go toolchain and containerd in the container images had critical/high CVEs. If you're running Chaos Mesh on release-2.8, upgrade to v2.8.3 now. No config changes needed — this is a drop-in image update.

  • breakingVerify NetworkChaos experiments involving crash-looping pods

    NetworkChaos recovery previously failed when the target container was in CrashLoopBackOff. v2.8.3 fixes this by falling back to the pause container's PID. If your test environments include intentionally crash-looping workloads, re-run those experiments to confirm recovery behaves correctly after the upgrade.

Key changes (5)
  • Go toolchain upgraded to 1.25.11 and containerd to 1.7.32 to patch critical/high container image CVEs
  • memStress helper rebuilt with updated Go toolchain (v0.3.1)
  • chaos-daemon image switched to headless JRE, reducing attack surface
  • NetworkChaos recovery now falls back to sandbox (pause) container PID when the target is in CrashLoopBackOff
  • Deprecated wait.PollImmediate replaced with wait.PollUntilContextTimeout in e2e tests
Source

Crossplane

Orchestration & ManagementJun 9, 2026

Crossplane v2.3.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

NATS

Networking & MessagingJun 9, 2026

NATS v2.12.11 is a single-fix patch release targeting a JetStream regression in v2.12.7 that caused stale subject state tracking and 'Message Not Found' errors on streams with per-subject message limits.

  • breakingUpgrade if you use max-messages-per-subject on any stream

    If you run NATS 2.12.7–2.12.10 and have streams configured with MaxMsgsPerSubject (max_msgs_per_subject), you are exposed to silent stale-state bugs that surface as 'Message Not Found' errors. These errors can cause consumers to miss messages or behave unpredictably. Upgrade to 2.12.11 immediately. If you are already on 2.14.x, you are not affected and no action is needed.

Key changes (4)
  • Fixed JetStream regression (introduced v2.12.7): stale subject state tracking caused 'Message Not Found' errors when max-messages-per-subject is configured
  • Go runtime updated to 1.25.11
  • v2.14.x is unaffected by this regression — only 2.12.7 through 2.12.10 users need to act
  • No other changes in this release
Source

CoreDNS

Kubernetes CoreJun 9, 2026

CoreDNS v1.14.4 delivers a broad set of targeted fixes and new capabilities: DNSSEC signing correctness fix, cache behavior improvements, forward plugin now resolves hostnames, and several transport security hardening items.

  • breakingDNSSEC signing behavior changed — review delegated zone setups

    The fix to sign each RRset with its owning zone rather than the query zone is technically correct, but if you have multi-zone DNSSEC setups with delegations, validate your signed responses after upgrading. Zones that were relying on the previous (incorrect) signing behavior may produce different signatures. Run dnssec-verify on a sample of records before cutting over in production.

  • enhancementUse hostname-based forward targets instead of hard-coded IPs

    The forward plugin now resolves hostnames for TO endpoints at runtime. If your CoreDNS configs currently pin upstream resolver IPs, you can switch to FQDNs and let CoreDNS handle resolution. This simplifies config management in environments where upstream IPs change (e.g., cloud-managed resolvers). Test in staging first — resolution failures at startup could affect forwarding.

  • enhancementRemove the 3600s cache TTL ceiling if longer TTLs are appropriate

    Cache TTLs were previously capped at 3600s regardless of the DNS record's actual TTL. That cap is gone. For stable records (root hints, internal authoritative zones) you can now set higher max_ttl values to reduce upstream query load. Audit your cache plugin config and raise max_ttl where it makes sense.

Key changes (5)
  • DNSSEC signing fix: RRsets are now signed with the zone that owns the name, not the query zone — this corrects a subtle but real signing correctness bug
  • Forward plugin now supports hostname resolution for TO endpoints, removing the need to pre-resolve IPs in configs
  • Cache TTL cap of 3600s removed; serve_stale gains an optional verify timeout; positive cache is preferred over SERVFAIL in negative cache
  • File plugin triggers zone reload on mtime change — no more manual reload signals for zone file updates
  • dnstap plugin now supports incoming connections; secondary plugin gains fallthrough support
Source

OpenTelemetry

ObservabilityJun 8, 2026

OTel Collector v0.154.0 fixes a startup crash in exporterhelper and changes --skip-get-modules behavior. Two minor enhancements add TLS and CORS config options.

  • securityinclude_insecure_cipher_suites is opt-in — keep it that way

    The new configtls option lets you re-enable weak cipher suites, but they stay disabled by default. Do not set include_insecure_cipher_suites: true in production unless you're forced to by a legacy peer — and if you are, treat it as a temporary workaround and track it.

  • breakingCheck custom build pipelines using --skip-get-modules

    If your OCB-based build scripts pass --skip-get-modules expecting go.mod to be regenerated as a side effect, that no longer happens. Audit any CI pipelines that relied on this implicit behavior and add an explicit go mod tidy step if needed.

  • enhancementUpgrade if you use sending_queue with sizer enabled

    The nil-pointer panic fix in exporterhelper is critical for anyone who sets sending_queue.sizer alongside batch.enabled: false. If your collector was crashing on startup in this config, v0.154.0 resolves it — upgrade directly.

Key changes (5)
  • cmd/builder: --skip-get-modules no longer rewrites go.mod — it now truly skips module operations as documented
  • pkg/exporterhelper: fixes nil-pointer panic at startup when sending_queue.sizer is set and sending_queue.batch.enabled is false
  • pkg/config/configtls: new include_insecure_cipher_suites option, disabled by default
  • pkg/confighttp: CORSConfig gains ExposedHeaders field to control Access-Control-Expose-Headers response header
  • cmd/mdatagen: numeric validators (minimum, maximum, exclusiveMinimum, exclusiveMaximum) now supported in generated config structs
Source

KEDA

Orchestration & ManagementJun 8, 2026

KEDA 2.20.1 fixes a critical race condition that caused panics during concurrent scaling and restores missing startup events for ScaledJobs. Upgrade required if running 2.20.0.

  • securityUpgrade to 2.20.1 if you saw panic crashes during concurrent scaling

    A concurrent map read/write race condition in the status update logic caused KEDA to panic when ScaledObjects or ScaledJobs scaled simultaneously (multiple triggers active at once). This is fixed in 2.20.1. If you experienced panics in 2.20.0 during periods of high scaling activity, upgrade immediately.

  • breakingReview breaking changes in v2.20.0 before upgrading

    KEDA 2.20.0 introduced breaking changes. If you operate KEDA clusters on versions before 2.20.0, review the v2.20.0 release notes at the GitHub link provided in the warning before upgrading to 2.20.1. Do not skip directly from < 2.20.0 to 2.20.1 without reading those notes first.

  • enhancementRestore ScaledJob scaler startup event visibility

    KEDA was failing to emit the KEDAScalersStarted event for ScaledJobs due to Kubernetes event aggregation key collision. Monitoring tools or dashboards relying on this event to track scaler initialization may have missed ScaledJob startup signals. Upgrade to 2.20.1 to restore proper event emission.

Key changes (3)
  • Fixed concurrent map read/write race condition causing panics during simultaneous trigger scaling
  • Fixed KEDAScalersStarted event not being emitted for ScaledJobs due to event aggregation key collision
  • Upgrade strongly recommended if running 2.20.0; breaking changes exist in 2.20.0 requiring careful review before upgrade from earlier versions
Source

gRPC

Networking & MessagingJun 8, 2026

gRPC v1.81.1 is a patch release fixing memory safety bugs on Windows and ARM, plus Python/Ruby housekeeping. No API-breaking changes.

  • breakingPython 3.9 and Ruby 3.1 are no longer supported

    If your services run gRPC Python on 3.9 or Ruby on 3.1, upgrading to v1.81.1 will break your build. Check your runtime versions before upgrading. Python 3.10+ and Ruby 3.2+ are the minimum now.

  • enhancementUpgrade Windows/ARM deployments to get memory safety fixes

    Two Windows EventEngine races and an ARM completion queue shutdown race are fixed. If you run gRPC servers on Windows or ARM-based hosts (e.g., Graviton), this patch is worth applying — use-after-free and assertion crashes are hard to reproduce but can cause random service failures.

  • enhancementprotobuf 7.x now allowed for gRPC Python

    The grpc-status package previously capped protobuf at <6.x. With the upper bound relaxed to 7.x, you can now unpin protobuf in Python services that use grpc-status alongside other libraries requiring newer protobuf versions.

Key changes (5)
  • EventEngine: two Windows-specific bugs fixed — a use-after-free and a race causing assertion errors
  • Core: completion queue shutdown race fixed on weak memory model architectures (ARM)
  • Python: dropped Python 3.9 support; protobuf dependency upper bound relaxed to allow 7.x
  • Ruby: dropped EOL Ruby 3.1 support; fixed CallCredentials reference leak
  • Python: AsyncIO observability support added
Source

Open Policy Agent (OPA)

SecurityJun 8, 2026

Security patch release upgrading Go to 1.26.4, fixing two stdlib vulnerabilities affecting OPA's HTTP handler and crypto builtins. No code changes from v1.17.0.

  • securityUpgrade to v1.17.1 immediately if using OPA's HTTP server or crypto builtins

    Two Go stdlib vulnerabilities (GO-2026-5039, GO-2026-5037) hit the HTTP handler and crypto builtins directly. If you run OPA as a server or use crypto-related Rego builtins, you're exposed on v1.17.0 and earlier. Drop-in replace with v1.17.1 — no config or policy changes needed. If you build your own OPA binaries, bump your Go toolchain to 1.26.4 yourself; this release doesn't change anything else.

Key changes (4)
  • Go runtime upgraded from 1.26.3 to 1.26.4
  • Fixes GO-2026-5039: stdlib vulnerability in OPA's HTTP handler
  • Fixes GO-2026-5037: stdlib vulnerability in OPA's crypto builtins
  • Zero functional changes from v1.17.0 — pure security patch
Source

Crossplane

Orchestration & ManagementJun 5, 2026

Patch release adding a v2 upgrade readiness scanner, a golang.org/x/net security fix, and a runtime bump. The new CLI command is the practical reason to upgrade now.

  • securityUpdate immediately for golang.org/x/net fix

    golang.org/x/net was updated to v0.55.0 to address a security issue. The release notes tag this as a security dependency update, so treat it as mandatory. Upgrade to v1.20.9 before the next planned maintenance window, don't wait for a convenient moment.

  • breakingTreat upgrade check findings as real blockers, not warnings

    The command reports usage of features that are removed or changed in v2 — native patch-and-transform Compositions, ControllerConfig, external secret stores, and unqualified package sources. These are not deprecation warnings; they are hard blockers. If your control plane has any findings, start migration work using the linked guides before attempting any v2 upgrade. Ignoring them and upgrading anyway will break running workloads.

  • enhancementRun upgrade check before any v2 planning work

    If your team is on a v1.x control plane and Crossplane v2 is anywhere on the roadmap, run `crossplane beta upgrade check` against your environment now. It surfaces exactly which Compositions, ControllerConfigs, and package references will block an upgrade — saving hours of manual audit. Pipe it with `-o json` into your CI pipeline to enforce a clean bill of health before any v2 upgrade PR is merged. The non-zero exit code makes gating trivial.

Key changes (5)
  • New `crossplane beta upgrade check` command scans a live control plane for v2 breaking changes before you upgrade
  • Checks cover native P&T Compositions, ControllerConfig usage, external secret stores, unqualified package sources, and connection details
  • Output is human-readable by default, JSON-capable via `-o json`, exits non-zero on blockers — CI-gate friendly
  • Each finding links directly to relevant migration guides and `crossplane beta convert` commands where applicable
  • Security update: golang.org/x/net bumped to v0.55.0; crossplane-runtime updated to v1.20.9
Source

Cortex

ObservabilityJun 5, 2026

v1.21.1 is a security-focused patch release addressing findings from a formal security audit, including XSS, gzip bomb, and memory amplification vulnerabilities — upgrade immediately.

  • securityUpgrade immediately — multiple audit findings patched

    This release backports fixes from a formal security audit (V01–V07). The vulnerabilities include a stored XSS on status pages, a gzip bomb in the OTLP ingestion path, memory amplification via malformed native histogram payloads, and gossip port exposure to flood/OOM attacks. These are not theoretical — they are exploitable by any client that can reach your Cortex endpoints. Upgrade to v1.21.1 now. After upgrading, review your -distributor.otlp-max-recv-msg-size setting; the default may be too permissive depending on your ingest volume.

  • securityAudit your /config endpoint exposure

    Prior to this release, Swift, etcd, Redis, and HTTP basic-auth credentials were exposed in plaintext on the /config endpoint. If that endpoint was accessible to internal users or scraping systems, treat those credentials as compromised and rotate them. Going forward, restrict /config access via network policy or auth middleware regardless of masking.

  • enhancementHarden memberlist gossip with new bounding flags

    Three new flags (-memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections) cap inbound gossip TCP behavior. The defaults are reasonable, but if your Cortex cluster is exposed to less-trusted network segments or you've seen gossip-related OOM events, tune these explicitly. Add them to your Helm values or config management before the next planned maintenance window.

Key changes (7)
  • Stored XSS fixed in Alertmanager and Store Gateway status pages (text/template replaced with html/template)
  • Gzip decompression now capped by -distributor.otlp-max-recv-msg-size to prevent decompression bomb attacks
  • Native histogram protobuf size limited to 16 KB by default via -validation.max-native-histogram-size-bytes to block memory amplification
  • Memberlist gossip port hardened with new flags for packet read timeout, max packet size, and max concurrent connections
  • Credentials for Swift, etcd, Redis, and HTTP basic-auth are now masked on the /config endpoint
  • PushStream requests with mismatched TenantID are rejected; HMAC-SHA256 stream auth added via -distributor.sign-write-requests-keys
  • Panic fixed when grpc_compression is set to snappy on ingester or store-gateway clients
Source

OpenFGA

SecurityJun 5, 2026

v1.17.1 is a focused patch fixing two correctness bugs: stale cache reads and broken continuation tokens with pipe characters in type names.

  • securityStale cache reads could return incorrect authorization decisions — patch now

    The iterator cache was using write time rather than query start time as the LastModified anchor, meaning cached entries could persist beyond the intended validity window and serve stale data. In an authorization system, a stale 'allow' decision is a real risk. This is fixed in v1.17.1; upgrade immediately if you run with caching enabled.

  • breakingAudit type names with '|' if pagination was silently breaking

    If your FGA model uses type names containing the pipe character '|', continuation tokens were being deserialized incorrectly. This could cause ListObjects or similar paginated calls to return incomplete or wrong results without throwing obvious errors. Upgrade to v1.17.1 and re-test any pagination flows that touch those type names.

  • enhancementv2Check throttling fallback removed — verify your error handling

    Previously, v2Check would fall back to v1 behavior under throttling or validation errors, masking the actual problem. Now it surfaces those errors directly. If your application swallows check errors silently or assumes fallback behavior, you may start seeing errors that were previously hidden. Test under load before rolling out to production.

Key changes (5)
  • Fixed stale-read bug in iterator cache: query start time now anchors the LastModified timestamp, preventing cached entries from surviving longer than intended
  • Fixed continuation token deserializer failing when type names contain the '|' character, which would silently break pagination
  • v2Check no longer falls back to v1 behavior when throttling or validation errors occur, enforcing stricter execution semantics
  • Go toolchain bumped to 1.26.4 and grpc-health-probe updated to v0.4.52
  • Caching documentation updated to reflect current behavior
Source

Linkerd

Networking & MessagingJun 5, 2026

Mostly a dependency maintenance release with two proxy bumps (v2.355.0, v2.356.0) and a fix for ReadAllLimit byte boundary handling.

  • enhancementTwo proxy versions in one release — check proxy changelogs separately

    This edge release packages proxy v2.355.0 and v2.356.0 together, meaning two rounds of proxy changes landed at once. If you track proxy behavior closely (traffic policy, retries, protocol detection), pull the proxy-specific changelogs before rolling this out to staging. The combined nature makes it harder to bisect if you hit regressions.

  • enhancementReadAllLimit fix may affect request body handling edge cases

    The ReadAllLimit fix allows inputs that hit the exact byte boundary to pass through correctly. If you have services where request bodies are crafted to exactly match a configured limit — common in API gateways or body-size validation scenarios — this corrects previously incorrect rejection behavior. No config changes needed, but worth validating if you saw unexpected 413-style rejections.

Key changes (5)
  • Proxy updated twice: v2.355.0 and v2.356.0 — both included in this single edge release
  • Fixed ReadAllLimit to correctly accept inputs exactly at the byte limit (off-by-one style bug)
  • hyper HTTP library bumped to 1.10.1 (Rust proxy dependency)
  • prometheus/common updated to 0.68.1 across two incremental bumps
  • Frontend deps updated: webpack-cli 7.0.3, query-string 9.4.0, launch-editor 2.14.1
Source

Istio

Networking & MessagingJun 4, 2026

Istio 1.29.4 patches a high-severity DoS CVE in Envoy plus six bug fixes, including a critical ambient mode traffic routing bug that could silently send traffic to unhealthy endpoints cluster-wide.

  • securityPatch CVE-2026-47774 immediately — unauthenticated HTTP/2 DoS

    CVE-2026-47774 lets any unauthenticated attacker exhaust Envoy's memory via crafted HTTP/2 requests. Cookie header bytes aren't fully counted in header size validation, and HPACK limits apply only to encoded bytes — not decoded totals. If you're on 1.29.x, upgrade to 1.29.4 now. This is exploitable from outside the mesh wherever Envoy terminates HTTP/2, including ingress gateways.

  • breakingAmbient mode users: audit Services using publishNotReadyAddresses + traffic distribution

    If any Service in your ambient mesh combines publishNotReadyAddresses:true with PreferSameZone or PreferSameNode traffic distribution, every other Service sharing that traffic-distribution preset was receiving healthPolicy:AllowAll — meaning traffic could route to not-ready endpoints across the entire cluster. After upgrading to 1.29.4, verify endpoint health policies are correct. Check ztunnel logs for unexpected AllowAll entries before and after the upgrade to confirm the fix took effect.

  • enhancementCNI on older kernels: nftables fallback now automatic

    Hosts running an nft binary compiled without JSON support were causing the CNI agent to log errors and retry indefinitely on every pod removal — a silent drain on the agent's reliability. The new startup check detects this and switches to iptables automatically. No action needed for most users, but if you've been seeing 'JSON support not compiled-in' errors in CNI agent logs, this fix resolves the root cause.

Key changes (5)
  • CVE-2026-47774 (CVSS 7.5): Envoy memory exhaustion via crafted HTTP/2 requests exploiting cookie header accounting gaps and HPACK decoded-size limits
  • Ambient mode bug fix: a single Service with publishNotReadyAddresses:true + traffic distribution preset was poisoning healthPolicy for all other Services sharing that preset
  • CNI agent now detects nft binary JSON support at startup and falls back to iptables backend instead of retrying indefinitely on every pod removal
  • Fixed concurrent map writes panic in istio-cni when two pods joined ambient mesh simultaneously on the same node
  • HTTPS listeners via ListenerSet now correctly deliver TLS certificates when the parent Gateway uses manual deployment
Source

Istio

Networking & MessagingJun 4, 2026

Istio 1.28.8 patches a high-severity DoS CVE in Envoy's HTTP/2 memory handling, plus three bug fixes covering TLS delivery, route filter status reporting, and a nasty ambient mode health policy contamination bug.

  • securityPatch CVE-2026-47774 immediately if you expose HTTP/2 endpoints

    An unauthenticated attacker can crash your Envoy sidecars by sending specially crafted HTTP/2 requests that bypass header size validation — cookie bytes aren't counted properly, and HPACK limits apply only to encoded size, not decoded. Any cluster accepting external or untrusted HTTP/2 traffic is at risk. Upgrade to 1.28.8 now. If you can't upgrade immediately, consider adding Envoy-level request header size limits or WAF rules to filter malformed HTTP/2 frames as a temporary measure.

  • breakingAudit ambient mode clusters using publishNotReadyAddresses with zonal traffic distribution

    If you run ambient mode and any Service sets publishNotReadyAddresses:true alongside PreferSameZone or PreferSameNode, you've likely been routing traffic to not-ready endpoints across your entire cluster — not just for that Service, but for every Service sharing the same traffic-distribution preset. This is a silent data-plane correctness bug. After upgrading, verify endpoint health behavior across affected Services and check whether any downstream systems received traffic from unhealthy pods during the window this was active.

  • enhancementFix for silent route filter drops enables reliable config debugging

    Previously, HTTPRoute or GRPCRoute filters with invalid header values would vanish from Envoy config without any status signal — making it nearly impossible to diagnose why traffic wasn't behaving as expected. Now Istio reports an invalid filter status, which surfaces in the Gateway API resource status. After upgrading, re-check any routes you may have debugged by guesswork; the explicit status message will clarify whether a header filter was rejected.

Key changes (4)
  • CVE-2026-47774 (CVSS 7.5): Unauthenticated attackers can exhaust Envoy memory via crafted HTTP/2 requests exploiting gaps in cookie header accounting and HPACK decoded size limits
  • HTTPS listeners on ListenerSet with manual Gateway deployment now correctly deliver TLS certificates
  • HTTPRoute/GRPCRoute filters with invalid header values now report an invalid filter status instead of silently disappearing from Envoy config
  • Critical ambient mode fix: a Service with publishNotReadyAddresses:true plus PreferSameZone/PreferSameNode no longer poisons healthPolicy for all other Services sharing the same traffic-distribution preset
Source

Istio

Networking & MessagingJun 4, 2026

Istio 1.30.1 patches a high-severity DoS CVE in Envoy's HTTP/2 handling plus fixes 13 bugs including a CNI agent panic, a traffic distribution poison bug, and a consistent hash load balancing regression.

  • securityPatch CVE-2026-47774 immediately — unauthenticated HTTP/2 DoS

    An attacker can exhaust Envoy's memory using crafted HTTP/2 requests that exploit gaps in Cookie header accounting and HPACK decoded-size limits. No authentication required. If you're running any Istio 1.30.x version, upgrade to 1.30.1 now. Check whether your ingress gateways are exposed to untrusted traffic — those are the highest-risk surfaces.

  • breakingAmbient users with traffic distribution policies: audit Services immediately

    If you use ambient mode with any Service that sets publishNotReadyAddresses: true alongside PreferSameZone or PreferSameNode traffic distribution, the bug caused ztunnel to apply healthPolicy: AllowAll to OTHER unrelated Services sharing that preset. This means traffic has potentially been routed to not-ready endpoints across your cluster. After upgrading to 1.30.1, verify endpoint health state and check whether any unexpected traffic reached unready pods.

  • enhancementRun 'istioctl analyze' after upgrading to catch stale Gateway API CRDs

    Upgrading Istio without updating Gateway API CRDs was silently breaking TLS passthrough in 1.30.0 — istiod would filter resources without any visible error. The new IST0176 check surfaces this. After upgrading, run istioctl analyze and resolve any IST0176 findings before they cause silent routing failures in production.

Key changes (5)
  • CVE-2026-47774 (CVSS 7.5): Envoy HTTP/2 memory exhaustion via crafted Cookie headers and HPACK decoding — patch immediately
  • Fatal CNI agent panic fixed: concurrent pod additions to ambient mesh on the same node triggered a map write race
  • Ambient mode traffic distribution bug: publishNotReadyAddresses + PreferSameZone/Node could corrupt healthPolicy for unrelated Services cluster-wide
  • New istioctl analyze check IST0176 detects stale Gateway API CRDs below Istio's minimum required version
  • nftables backend now falls back to iptables if the host's nft binary lacks JSON support, ending infinite retry loops on CNI pod removal
Source

Envoy

Networking & MessagingJun 4, 2026

v1.38.1 is a security-focused patch addressing two HTTP/2 CVEs and two oauth2 vulnerabilities — upgrade immediately if running HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 and oauth2 CVEs now — don't wait for your next maintenance window

    Two HTTP/2 CVEs (cookie-bomb memory exhaustion via HPACK and nghttp2 CVE-2026-27135) plus two oauth2 bugs (timing oracle and a crash-as-auth-bypass) make this a must-apply patch. If you're running the oauth2 filter, the HMAC timing side-channel is particularly nasty — attackers could probe HMAC secret validity over time. Upgrade to v1.38.1 immediately. The new HTTP/2 header limit behavior is enabled by default; only revert with `envoy.reloadable_features.http2_include_cookies_in_limits` if you have a specific, documented reason.

  • breakingUpstream failure reason stripped from HTTP response bodies — check your client error handling

    Any downstream client or API consumer that parses or displays the upstream transport failure reason from the HTTP response body will now get nothing. The information is still in access logs. Audit your clients and dashboards before upgrading — if something depends on that response body content, you have a short window to either update the client or re-enable the old behavior with `envoy.reloadable_features.hide_transport_failure_reason_in_response_body`.

  • breakingEDS batch LB rebuild coalescing is now opt-in — test under high-churn service discovery

    Load balancer rebuild coalescing during EDS batch host updates is disabled by default. Environments with large EDS clusters and frequent host churn (e.g., Kubernetes rolling deployments with many pods) may see increased CPU from more frequent LB rebuilds. Benchmark your control-plane interaction patterns after upgrading. Re-enable the old behavior with `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update` if you observe performance regression.

Key changes (5)
  • CVE-2026-47774: HTTP/2 streams now reset on max header list size violations; uncompressed cookies count toward header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied — affects all HTTP/2 traffic
  • oauth2: timing side-channel in HMAC verification fixed, preventing secret validity leakage
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed on secret mismatch (~1/256 probability), triggering a HeaderString assert
  • Router no longer includes upstream transport failure reason in HTTP response body — only in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%
Source

Keycloak

SecurityJun 4, 2026

Keycloak 26.6.3 is a critical security release fixing 16 CVEs spanning OIDC, SAML, LDAP, WebAuthn, and authorization services. Upgrade immediately.

  • securityUpgrade to 26.6.3 now — 16 CVEs, several high-severity

    This release patches a dense cluster of vulnerabilities. The most dangerous include: CVE-2026-9704 (privilege escalation via silent subject_token removal in token exchange), CVE-2026-4874 (SSRF via OIDC token endpoint), CVE-2026-9802 (rotated refresh token reuse after server restart with revokeRefreshToken=true), and CVE-2026-8830 (missing WebAuthn server-side validation). If you're running any 26.x version, treat this as an emergency patch. Review the migration guide before upgrading, but don't delay the upgrade waiting for a maintenance window — schedule one immediately.

  • securityAudit redirect URI configs after wildcard matching fix

    CVE fix for wildcard redirect URI matching (issue #48430) changes enforcement behavior — '*' placed directly after a hostname no longer matches arbitrary subdomains or paths. After upgrading, verify that legitimate client redirect URIs still work correctly in your environments. Any client relying on overly broad wildcard patterns should be tightened anyway; this is a good forcing function.

  • securityReview LDAP federation and token exchange configurations

    Two targeted vectors: CVE-2026-9801 allows DoS via malformed PasswordPolicyControl in LDAP federation — if you expose LDAP federation to partially-trusted inputs or have external-facing auth flows backed by LDAP, this is high priority. CVE-2026-9704 affects any realm using token exchange with subject_token; the fix prevents silent removal of subject_token from escalating privileges. Confirm your token exchange policies are scoped correctly post-upgrade.

Key changes (5)
  • 16 CVEs patched: privilege escalation via token exchange, SSRF on OIDC endpoint, CORS header reflection from unverified JWT claims, WebAuthn registration bypass, and more
  • Refresh token revocation bypass fixed: server restarts no longer reset startupTime, closing a window where rotated tokens could be reused when revokeRefreshToken=true
  • Wildcard redirect URI matching now enforces host boundaries — previous behavior allowed subdomain/path bypass attacks
  • ROPC grant client policy enforcement and token introspection notBefore handling both patched to close privilege escalation paths
  • Startup check added for missing DB indexes; SQL Server case-sensitive collation upgrade failure fixed
Source
← NewerOlder →