RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Dragonfly

Storage & DataMar 11, 2026

Dragonfly v2.4.3 is a pure maintenance release focusing on dependency updates and security patches, with no functional changes for users.

  • securityApply routine security updates

    This patch release includes dependency updates that may contain security fixes. Update your Dragonfly deployments to v2.4.3 during your next maintenance window. The upgrade should be seamless with no breaking changes or configuration updates required.

  • enhancementImproved observability with OpenTelemetry updates

    The OpenTelemetry library updates from v0.63.0 to v0.67.0 provide better tracing capabilities. If you're using distributed tracing with Dragonfly, you may see improved trace collection and reduced overhead after upgrading.

Key changes (5)
  • Updated OpenTelemetry libraries from v0.63.0 to v0.67.0 for improved observability
  • Upgraded Docker actions to v4.0.0 for GitHub CI/CD workflows
  • Bumped Golang system dependencies including oauth2 and sys packages
  • Updated d7y.io/api to v2.2.24 for latest API compatibility
  • Refreshed GitHub Actions dependencies for stale issue management
Source

Envoy

Networking & MessagingMar 11, 2026

Envoy v1.37.1 is a critical security patch addressing five CVEs including crash vulnerabilities and RBAC bypasses. Teams running production Envoy should prioritize immediate updates.

  • securityApply critical CVE fixes immediately

    Five CVEs fixed including crash conditions in rate limiting and IPv6 handling, plus an RBAC bypass. Test your deployment in staging first, then schedule emergency maintenance to update production clusters within 24-48 hours.

  • enhancementReview OAuth2 and ext_authz configurations

    If you use OAuth2 refresh tokens, verify host header behavior works correctly after the fix. For ext_authz users, check that error handling now properly respects your status_on_error settings and denied response headers reach clients as expected.

  • enhancementValidate ext_proc filter chains

    Multiple ext_proc filters in a chain now work correctly. If you previously avoided chaining due to bugs, test this functionality in your development environment to simplify complex processing pipelines.

Key changes (5)
  • Fixed five security vulnerabilities including rate limit crash, multivalue header RBAC bypass, and IPv6 address crash
  • Resolved OAuth2 host header rewriting issue affecting refresh token requests
  • Enhanced ext_proc filter to support multiple filters in chain configuration
  • Improved ext_authz error handling for 5xx responses and proper header propagation
  • Introduced extended ABI forward compatibility for dynamic modules
Source

Envoy

Networking & MessagingMar 11, 2026

Envoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.

  • securityUpgrade immediately for critical crash fixes

    Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.

  • securityReview RBAC policies for multivalue header bypass

    CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.

  • enhancementTest OAuth2 workflows after host rewriting fix

    The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.

Key changes (5)
  • Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
  • OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
  • Migration from internal googleurl to open source Google GURL library
  • Kafka test binary updated to version 3.9.2
  • Docker base image security updates
Source

Envoy

Networking & MessagingMar 10, 2026

Envoy v1.35.9 delivers critical security patches for four CVEs affecting RBAC, IPv6 handling, JSON processing, and HTTP decoding, plus OAuth2 host rewriting fixes.

  • securityUpgrade immediately for critical security fixes

    Four CVEs fixed in this release could lead to authentication bypass, crashes, and memory corruption. Schedule immediate deployment especially if using RBAC policies, IPv6 networking, JSON processing, or experiencing downstream connection resets. Test thoroughly in staging first as security fixes can affect request handling behavior.

  • enhancementValidate OAuth2 host rewriting behavior

    OAuth2 refresh requests now correctly preserve original Host headers instead of being overridden. If your setup relies on custom host rewriting for OAuth2 flows, verify that authentication still works as expected after upgrading. This change improves compliance with OAuth2 specifications.

Key changes (5)
  • Four CVE fixes addressing RBAC multivalue header bypass, IPv6 crash, JSON corruption, and HTTP decode blocking issues
  • OAuth2 refresh requests now preserve original Host header values during host rewriting
  • Migration from internal googleurl to open GitHub repository (google/gurl)
  • Kafka test binary updated to version 3.9.2
  • Docker base images refreshed to latest versions
Source

containerd

Kubernetes CoreMar 10, 2026

containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

Key changes (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
Source

Envoy

Networking & MessagingMar 10, 2026

Critical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.

  • securityUpgrade immediately for RBAC bypass fix

    CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.

  • securityPatch IPv6 crash vulnerability in production

    CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.

  • securityAddress JSON processing memory corruption

    CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.

Key changes (5)
  • Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
  • Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
  • Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
  • Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
  • Corrected OAuth2 refresh request host rewriting behavior
Source

cert-manager

SecurityMar 10, 2026

cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

Key changes (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
Source

Harbor

Storage & DataMar 10, 2026

Harbor v2.13.5 focuses on security improvements with stricter bearer token validation and removes sensitive configuration data from audit logs.

  • securityBearer token security enforcement requires review

    Harbor now rejects bearer tokens issued before project creation, which could break existing integrations using older tokens. Audit your CI/CD pipelines and automation scripts that authenticate with Harbor to ensure they regenerate tokens after this upgrade.

  • enhancementAudit log cleanup improves security posture

    Configuration payloads are no longer logged in audit trails, reducing exposure of sensitive settings. Review your log monitoring and compliance processes to ensure they still capture necessary security events without relying on configuration data in logs.

  • enhancementUpdated Trivy brings latest vulnerability definitions

    Trivy v0.69.3 includes newer vulnerability databases and detection rules. Schedule a rescan of your container images to identify any newly discovered vulnerabilities that weren't caught in previous scans.

Key changes (5)
  • Removed payload from configuration audit logs to prevent sensitive data exposure
  • Enhanced bearer token security by rejecting tokens issued before project creation
  • Updated Trivy scanner to v0.69.3 and adapter to v0.35.1 for latest vulnerability detection
  • Upgraded Go runtime and base container images for security patches
  • Fixed CI pipeline compatibility with newer Docker versions
Source

Harbor

Storage & DataMar 10, 2026

Harbor v2.14.3 delivers critical security fixes for bearer token validation and updates Trivy scanner to version 0.69.3, focusing on hardening authentication mechanisms and keeping vulnerability detection current.

  • securityUpdate immediately for bearer token fix

    This release patches a security flaw where Harbor accepted bearer tokens issued before project creation. Deploy v2.14.3 immediately if you use token-based authentication, as this could allow unauthorized access to projects.

  • enhancementBenefit from updated Trivy scanning

    Trivy v0.69.3 includes the latest vulnerability database and detection capabilities. Schedule a rescan of your critical images after upgrading to catch newly discovered vulnerabilities that older versions missed.

  • enhancementReview audit log configurations

    Sensitive payload data has been removed from configuration audit logs to prevent credential exposure. Verify your log monitoring tools still capture the security events you need after this change.

Key changes (5)
  • Bearer token security fix preventing acceptance of tokens issued before project creation
  • Trivy vulnerability scanner updated to v0.69.3 with adapter v0.35.1
  • Configuration audit log no longer includes sensitive payload data
  • Base image refresh and Go dependency updates for improved security posture
  • GitHub Actions workflows migrated to ubuntu-latest runners
Source

NATS

Networking & MessagingMar 9, 2026

NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

Key changes (5)
  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management
Source

NATS

Networking & MessagingMar 9, 2026

NATS v2.11.14 is a critical security release addressing two CVEs affecting leafnode compression and WebSocket features, plus multiple stability fixes to prevent server panics.

  • securityUpgrade immediately if using leafnodes or WebSockets

    Two CVEs affect common NATS configurations. If you have leafnode compression or WebSocket features enabled, upgrade immediately to prevent potential security exploits. Check your configuration for 'compression: enabled' in leafnode sections or 'websocket' listeners.

  • securityReview WebSocket Origin validation settings

    Origin header validation now includes protocol scheme verification. Audit your WebSocket client configurations to ensure they specify correct origins (including https:// or wss:// schemes) to avoid connection rejections after upgrade.

  • enhancementMonitor for reduced panic incidents

    This release fixes multiple panic conditions in leafnode and WebSocket handling. After upgrading, you should see fewer unexpected server restarts. Review your monitoring dashboards to confirm improved stability metrics.

Key changes (5)
  • Fixes CVE-2026-29785 affecting leafnode compression systems
  • Fixes CVE-2026-27889 affecting WebSocket-enabled deployments
  • Prevents server panics from leafnode subscription race conditions
  • Improves WebSocket frame parsing and payload validation
  • Enhanced Origin header validation for WebSocket security
Source

Open Policy Agent (OPA)

SecurityMar 9, 2026

OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

Key changes (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
Source

Dapr

Orchestration & ManagementMar 6, 2026

Dapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.

  • securityUpdate for Go runtime and OpenTelemetry security patches

    This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.

  • enhancementReview Pulsar Avro message publishing for early error detection

    Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.

Key changes (5)
  • Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
  • Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
  • Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
  • Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
  • Cached Pulsar Avro codec compilation at initialization for improved publishing performance
Source

CoreDNS

Kubernetes CoreMar 6, 2026

CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

Key changes (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
Source

Strimzi

Networking & MessagingMar 6, 2026

Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

Key changes (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
Source

Keycloak

SecurityMar 5, 2026

Keycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.

  • securityImmediate upgrade required for SAML users

    These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.

  • securityAudit SAML broker configurations

    After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.

Key changes (4)
  • Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
  • Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
  • Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
  • Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability
Source

SPIRE

SecurityMar 3, 2026

SPIRE v1.14.2 addresses two critical security vulnerabilities in server node attestor plugins that could enable SSRF attacks and CPU exhaustion.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two security issues affect SPIRE servers using http_challenge or x509pop attestors. The SSRF vulnerability lets attackers redirect servers to unauthorized domains and extract response data. The x509pop DoS vulnerability allows CPU exhaustion attacks. Update to v1.14.2 immediately if you use either attestor plugin.

Key changes (3)
  • Fixed SSRF vulnerability in http_challenge server node attestor plugin
  • Resolved CPU exhaustion issue in x509pop server node attestor plugin
  • Both vulnerabilities could be exploited by attackers during node attestation
Source

SPIRE

SecurityMar 3, 2026

SPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.

  • securityReview node attestor plugin configurations

    If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.

Key changes (4)
  • Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
  • Patched CPU exhaustion attack vector in x509pop server node attestor plugin
  • Both vulnerabilities affected the node attestation process used for workload identity verification
  • Security fixes address potential unauthorized access and denial of service scenarios
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

Key changes (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
Source

Karmada

Orchestration & ManagementFeb 28, 2026

Karmada v1.15.6 is a critical bug-fix release addressing race conditions, scheduler panics, and CronFederatedHPA failures that could impact production stability.

  • securityBase image security update included

    Alpine base image updated to 3.23.3 which may include security patches. Review your container scanning results after upgrade and update any custom images based on Karmada components.

  • breakingCritical scheduler stability fixes require immediate update

    The scheduler panic fix and backoff queue corrections address critical stability issues that could cause service disruptions. Plan immediate upgrade for production environments running multi-cluster workloads with spread constraints or high scheduling volumes.

  • enhancementCronFederatedHPA reliability improvements

    If using CronFederatedHPA for autoscaling, this release fixes scale-up failures when replicas field is missing. Update to ensure consistent autoscaling behavior across your federated deployments.

Key changes (5)
  • Fixed job status aggregator race condition preventing error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Corrected graceful eviction task timing issues with GracePeriodSeconds
  • Fixed scheduler panic from divide-by-zero errors in spread constraints
  • Improved backoff queue sorting to prevent priority inversion issues
Source

Vitess

Storage & DataFeb 27, 2026

Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

Key changes (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
Source

Vitess

Storage & DataFeb 27, 2026

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

Key changes (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
Source

Kubernetes

Kubernetes CoreFeb 26, 2026

Kubernetes v1.32.13 is a patch release focused on bug fixes and security improvements for the stable v1.32 series, maintaining backward compatibility.

  • securityApply Security Patch Immediately

    This patch release likely includes critical security fixes. Schedule immediate upgrades for production clusters, especially if you're running earlier v1.32.x versions. Test in staging first, then roll out to production with standard maintenance windows.

  • enhancementUpdate Container Images and Binaries

    Pull the latest v1.32.13 container images and update node binaries across your infrastructure. This is a straightforward in-place upgrade that maintains API compatibility. Update your CI/CD pipelines to reference the new image tags.

  • enhancementVerify Multi-Architecture Support

    If running mixed-architecture clusters, ensure all architectures (amd64, arm64, ppc64le, s390x) are updated consistently. The manifest lists support automatic architecture selection, but verify your deployment automation handles this correctly.

Key changes (5)
  • Patch release in the v1.32 stable series with bug fixes and security improvements
  • Updated container images available across all supported architectures (amd64, arm64, ppc64le, s390x)
  • Client, server, and node binaries updated for all supported platforms including Windows
  • Maintained API compatibility with existing v1.32.x deployments
  • Standard Kubernetes component updates (kube-apiserver, kube-controller-manager, kube-proxy, kubelet)
Source

cert-manager

SecurityFeb 24, 2026

cert-manager v1.18.6 is a security-focused patch release primarily addressing CVE-2025-68121 through Go runtime updates, with no functional changes to certificate management operations.

  • securityUpdate to v1.18.6 for CVE-2025-68121 mitigation

    This release patches a Go runtime vulnerability (CVE-2025-68121) that could affect cert-manager security. Plan an upgrade within your standard maintenance window as this is a drop-in replacement with no configuration changes required. Test in non-production first, then roll out to production clusters.

  • enhancementSafe upgrade path for production workloads

    Since this is purely a security patch with no functional changes, you can upgrade with confidence using your existing deployment processes. The update maintains full backward compatibility, making it suitable for automated deployment pipelines without additional testing overhead.

Key changes (4)
  • Go runtime updated to address CVE-2025-68121 security vulnerability
  • CVE-2026-24051 left unpatched as it only affects macOS environments
  • Pure security patch with no breaking changes or new features
  • Maintains compatibility with existing cert-manager deployments
Source

Knative

Orchestration & ManagementFeb 24, 2026

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

Key changes (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
Source

OpenFGA

SecurityFeb 23, 2026

OpenFGA v1.11.6 enables ListObjects pipeline by default for improved performance, upgrades gRPC client implementation, and addresses a security vulnerability in grpc-health-probe.

  • securityUpdate deployments using grpc-health-probe

    If you're using grpc-health-probe for health checks in your OpenFGA deployments, this update addresses CVE-2025-68121. Verify your container images are pulling the latest version and update any standalone grpc-health-probe binaries.

  • enhancementTest ListObjects pipeline performance impact

    The new default ListObjects pipeline algorithm may improve query performance but could change behavior. Monitor your ListObjects API calls after upgrade and be prepared to disable it with listObjects-pipeline-enabled=false if you encounter issues.

Key changes (3)
  • ListObjects pipeline algorithm now enabled by default (can be disabled with listObjects-pipeline-enabled=false)
  • Migration from deprecated grpc.DialContext to grpc.NewClient for grpc-gateway client
  • Security update: grpc-health-probe bumped to v0.4.45 addressing CVE-2025-68121
Source

KubeVirt

Orchestration & ManagementFeb 23, 2026

KubeVirt v1.7.1 delivers critical bug fixes for live migration, volume hotplug, and VM snapshot operations, along with enhanced monitoring capabilities and security updates.

  • securityUpdate to address crypto dependency vulnerabilities

    The golang.org/x/crypto dependency was updated to v0.45.0 to address security issues. Plan to upgrade to this version promptly, especially in production environments handling sensitive workloads, as crypto vulnerabilities can impact VM security.

  • breakingCross-vendor migration prevention requires review

    KubeVirt now prevents cross-vendor migrations which may break existing workflows that rely on migrating VMs between different infrastructure providers. Review your migration patterns and ensure source and target nodes use compatible virtualization stacks.

  • enhancementImplement ephemeral volume monitoring

    New metrics and alerts for ephemeral hotplug volumes improve operational visibility. Configure your monitoring stack to capture these new metrics and set up alerts for ephemeral volume lifecycle events to better track resource usage and potential issues.

Key changes (6)
  • Fixed decentralized live migration issues between volumes with different volumeModes
  • Resolved block volume hotplug breaking autoattachVSOCK functionality
  • Added ephemeral hotplug volume metrics and alerts for better monitoring
  • Fixed missing migration metrics that impacted observability
  • Updated security dependencies including golang.org/x/crypto to v0.45.0
  • Enhanced VM export functionality to work with PVCs from completed pods
Source

Contour

Networking & MessagingFeb 20, 2026

Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

Key changes (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
Source

Contour

Networking & MessagingFeb 20, 2026

Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

Key changes (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
Source

Contour

Networking & MessagingFeb 20, 2026

Contour v1.31.4 is a patch release addressing a critical load balancer status update bug and updating Go to v1.24.13 for security and stability improvements.

  • securityUpgrade for Go security patches

    Go v1.24.13 includes security fixes that improve runtime security. Plan to upgrade Contour to v1.31.4 during your next maintenance window to benefit from these security improvements.

  • enhancementFix load balancer status reporting issues

    If you've experienced failures in load balancer status updates with HTTPProxy resources, this release resolves the CRD schema issue. Upgrade to restore proper status reporting functionality, especially important for automation and monitoring systems that depend on load balancer status.

Key changes (4)
  • Go runtime updated to v1.24.13 for security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Maintains compatibility with Kubernetes 1.30-1.32
  • Focused on stability improvements with no breaking changes
Source

Keycloak

SecurityFeb 20, 2026

Keycloak 26.5.4 is a critical security patch release addressing 5 CVEs including SAML vulnerabilities and authorization bypass issues. Includes performance improvements and cluster stability fixes.

  • securityImmediate upgrade required for multiple CVEs

    This release fixes 5 CVEs including authorization bypass and DoS vulnerabilities. Review your SAML configurations and Docker registry protocol usage. Schedule immediate upgrade during next maintenance window, especially if using SAML brokering or have Docker registry integrations.

  • securityVerify client secret exposure in configurations

    CVE fix addresses client secret disclosure on unauthenticated endpoints. After upgrade, audit your client configurations and rotate any potentially exposed secrets. Review access logs for unauthorized config endpoint access.

  • enhancementOptimize cluster performance post-upgrade

    New session ID key affinity and improved caching will enhance performance in clustered deployments. Monitor login page response times and cluster stability after upgrade - you should see reduced database queries and better load distribution.

Key changes (5)
  • Fixed 5 critical CVEs including SAML response delays, authorization header parsing bypass, and DoS vulnerabilities
  • Resolved client secret information disclosure on unauthenticated config endpoints
  • Enhanced session ID key affinity mechanism for improved load balancing
  • Fixed cluster rejoining issues with 3+ node configurations using jdbc-ping
  • Improved database query caching performance on login page loads
Source

Kyverno

SecurityFeb 19, 2026

Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

Key changes (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
Source

Fluentd

ObservabilityFeb 19, 2026

Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

Key changes (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
Source

Strimzi

Networking & MessagingFeb 19, 2026

Strimzi 0.50.1 is a critical security patch addressing two CVEs affecting versions 0.47.0+, with mandatory CRD upgrades and final support for Kubernetes 1.27-1.29.

  • securityImmediate upgrade required for CVE fixes

    If running Strimzi 0.47.0 or newer, immediately review the CVE advisories and upgrade to 0.50.1. These are critical security vulnerabilities that require urgent patching in production environments.

  • breakingUpdate KafkaUser resources before upgrading

    Before upgrading, update all KafkaUser resources to use .spec.authorization.acls[]operations field instead of the deprecated .spec.authorization.acls[]operation field to avoid compatibility issues.

  • breakingPlan Kubernetes upgrade for Strimzi 0.51+

    This is the final version supporting Kubernetes 1.27-1.29. Plan to upgrade your clusters to Kubernetes 1.30+ before upgrading to Strimzi 0.51.0 or newer to maintain compatibility.

Key changes (5)
  • Fixes two critical security vulnerabilities CVE-2026-27133 and CVE-2026-27134 affecting Strimzi 0.47.0+
  • Includes full CA chain in broker certificates for improved TLS certificate validation
  • Fixes bugs in v1 API conversion tool for number conversions and empty YAML handling
  • Last version supporting Kubernetes 1.27, 1.28, and 1.29 - future versions require K8s 1.30+
  • Continues migration to v1 APIs with mandatory CRD upgrades, especially critical for Helm users
Source

Notary Project

SecurityApr 27, 2025

Notation v1.3.2 is a targeted security patch backported to the 1.3 branch, addressing CVE-2025-30204 in the golang-jwt dependency.

  • securityPatch CVE-2025-30204 by upgrading to v1.3.2 now

    CVE-2025-30204 is a vulnerability in golang-jwt that can allow attackers to bypass JWT validation. If you're running any 1.3.x release of Notation, upgrade to v1.3.2 immediately — this is the sole reason this patch release exists. If you're on v1.4+, verify your version already includes the fix before assuming you're safe.

  • enhancementUse this release as a low-risk upgrade path if you're pinned to 1.3

    Teams that can't yet move to the latest major line can take v1.3.2 without worrying about behavioral changes — the diff is narrow and confined to the JWT dependency bump plus minor cleanups. It's a safe, no-surprises drop-in for any 1.3.x deployment.

Key changes (3)
  • CVE-2025-30204 patched via golang-jwt dependency update
  • Backport from main branch to release-1.3 for users not yet on v1.4+
  • Minor code and documentation cleanups alongside the security fix
Source
← Newer