Security patch release upgrading Go to 1.26.4, fixing two stdlib vulnerabilities affecting OPA's HTTP handler and crypto builtins. No code changes from v1.17.0.
securityUpgrade to v1.17.1 immediately if using OPA's HTTP server or crypto builtins
Two Go stdlib vulnerabilities (GO-2026-5039, GO-2026-5037) hit the HTTP handler and crypto builtins directly. If you run OPA as a server or use crypto-related Rego builtins, you're exposed on v1.17.0 and earlier. Drop-in replace with v1.17.1 — no config or policy changes needed. If you build your own OPA binaries, bump your Go toolchain to 1.26.4 yourself; this release doesn't change anything else.
Key changes (4)
- Go runtime upgraded from 1.26.3 to 1.26.4
- Fixes GO-2026-5039: stdlib vulnerability in OPA's HTTP handler
- Fixes GO-2026-5037: stdlib vulnerability in OPA's crypto builtins
- Zero functional changes from v1.17.0 — pure security patch