RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

cert-manager

Security2026年4月21日

Pure security patch: Go runtime bumped to 1.23.9 and vulnerable dependencies updated. No functional changes — upgrade is the only action needed.

  • securityUpgrade to v1.19.5 immediately — this is a pure CVE fix

    The cert-manager team explicitly recommends all users upgrade. The changes are limited to Go runtime and dependency bumps, so there is no functional risk in upgrading. If you are on any v1.19.x release, this is a straight swap with no migration steps. Check your deployment method (Helm, static manifests, OperatorHub) and roll it out to all clusters. Delaying leaves your cert-manager pods running with known vulnerable Go packages.

主な変更 (3)
  • Go runtime upgraded from an older 1.23.x to 1.23.9 to address multiple CVEs in the Go toolchain
  • Third-party Go dependencies with reported vulnerabilities bumped to patched versions
  • No API, behavioral, or configuration changes — drop-in replacement for v1.19.x
原文

Kubescape

Security2026年4月17日

Kubescape v4.0.5 is a routine maintenance release: Go toolchain update plus dependency bumps. No new features or bug fixes.

  • securityUpgrade to pick up Go runtime and dependency CVE fixes

    Go version bumps often patch stdlib vulnerabilities (e.g., net/http, crypto) that affect compiled binaries. If you're running Kubescape as a cluster component or in CI pipelines, pull this update. Check your current version with 'kubescape version' and replace the binary or update your container image tag. Low effort, low risk.

  • enhancementPin to this patch version in your automation

    If you're using Kubescape in CI/CD security scanning pipelines, update your pinned version to v4.0.5 to stay current with the dependency graph. This is especially relevant if your org has SCA tooling that flags transitive dependency staleness in scan tooling itself — a common audit finding.

主な変更 (3)
  • Go version updated to address potential toolchain-level vulnerabilities and compatibility
  • Dependency versions bumped across go.mod/go.sum
  • No functional changes, API changes, or new features introduced
原文

Kubescape

Security2026年4月17日

v4.0.4 is a dependency maintenance release with security-relevant library bumps across gRPC, go-git, cloudflare/circl, go-jose, and hashicorp/go-getter, plus minor CLI bug fixes.

  • securityUpgrade immediately due to security-sensitive dependency updates

    Several updated libraries — hashicorp/go-getter, cloudflare/circl, go-jose, and go-git — have histories of CVEs covering path traversal, cryptographic weaknesses, and JWT attacks. While Kubescape's release notes don't call out specific CVEs, the jump from go-getter 1.7.9 to 1.8.6 and go-git 5.16.5 to 5.17.1 are both large version gaps. If you run Kubescape in CI pipelines or as part of automated scanning, update to v4.0.4 now rather than waiting for a scheduled maintenance window.

  • enhancementHelm 3.20.2 and gRPC 1.79.3 bring compatibility improvements

    The Helm SDK bump to 3.20.2 means Kubescape's chart scanning logic stays aligned with current Helm releases. If your clusters use recent Helm chart features, earlier Kubescape versions may have produced incomplete or inaccurate scan results. Rerun chart-level scans after upgrading to confirm coverage.

  • enhancementFix for duplicate flags in `scan image` — check any wrapper scripts

    If you have shell scripts or CI configs that pass flags explicitly to `kubescape scan image`, the duplicate-flag bug could have caused unexpected behavior or silent flag ignoring. After upgrading, verify your pipeline invocations still produce expected output.

主な変更 (5)
  • hashicorp/go-getter bumped from 1.7.9 to 1.8.6 — this library has a history of security CVEs around path traversal and SSRF
  • cloudflare/circl updated from 1.6.1 to 1.6.3, addressing cryptographic library fixes
  • go-jose/go-jose updated to 4.1.4, patching JWT/JWE handling issues
  • go-git bumped to 5.17.1 — prior versions had known git protocol vulnerabilities
  • Duplicate CLI flags removed from `scan image` subcommand, and error handling improved
原文

Keycloak

Security2026年4月15日

26.6.1 is a security patch release fixing two CVEs — blind SSRF and user enumeration — plus a critical migration bug that broke authentication flows when upgrading from older versions.

  • securityPatch immediately for SSRF and user enumeration CVEs

    Two CVEs in 26.6.0 (and earlier) need your attention. CVE-2026-4366 allows blind SSRF through HTTP redirect handling — a real risk if Keycloak can reach internal services. CVE-2026-4633 leaks user existence through identity-first login, which aids credential stuffing. Upgrade to 26.6.1 now. If you can't upgrade immediately, consider disabling identity-first login as a short-term mitigation for CVE-2026-4633.

  • breakingIf you upgraded to 26.6.0, check your custom authentication flows immediately

    The MigrateTo26_6_0 migration script had a bug that modified custom browser flows, potentially breaking realm authentication silently. If you upgraded to 26.6.0 and noticed login failures or unexpected flow behavior, this is why. Upgrading to 26.6.1 fixes the migration, but you may need to manually review and repair any already-affected custom flows in your realms. Audit them before upgrading in production.

  • breaking26.6.0 JS/Java admin clients were broken — use 26.6.1 packages

    Both @keycloak/keycloak-admin-client (JS) and the Java admin client had packaging issues in 26.6.0 that prevented installation or sync. If your pipelines or applications depend on these libraries and you pinned to 26.6.0, they are likely broken. Update your dependency references to 26.6.1 immediately.

主な変更 (5)
  • CVE-2026-4366: Blind SSRF via HTTP redirect handling in core — attackers could probe internal network resources
  • CVE-2026-4633: User enumeration via identity-first login — leaks whether usernames exist in the system
  • MigrateTo26_6_0 bug fixed: upgrading to 26.6.0 was silently corrupting custom browser authentication flows in existing realms
  • Infinite redirect loop fixed when IdP returns access_denied with kc_idp_hint set
  • Database at-rest encryption support added; CloudNativePG operator updated to 1.29
原文

OpenFGA

Security2026年4月14日

OpenFGA v1.14.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

cert-manager

Security2026年4月11日

Patch release fixing a Helm chart YAML generation bug when webhook.config and webhook.volumes are both set, plus Go 1.26.2 upgrade to address dependency vulnerabilities.

  • securityDependency vulnerabilities patched — upgrade to get the fixes

    The Go runtime and dependencies were bumped specifically to address reported CVEs. The release notes don't call out specific CVE IDs, but don't let that slow you down — cert-manager sits in a privileged position in your cluster handling certificate issuance, so keeping it current on security patches is non-negotiable. Schedule an upgrade in your next maintenance window.

  • breakingUpgrade immediately if you use both webhook.config and webhook.volumes

    If your Helm values set both webhook.config and webhook.volumes, the chart has been generating invalid YAML — meaning your webhook may have silently deployed with incorrect configuration. Upgrade to v1.20.2 and redeploy, then verify the webhook pod is running with the expected volume mounts and config.

主な変更 (3)
  • Fixed invalid YAML output in Helm chart when both webhook.config and webhook.volumes are defined simultaneously
  • Go runtime bumped to 1.26.2
  • Go dependencies updated to resolve reported vulnerabilities
原文

OpenFGA

Security2026年4月10日

v1.14.1 patches a host-header poisoning vulnerability in AuthZEN discovery and removes a vulnerable Docker dependency, plus minor ListObjects performance gains.

  • securityPatch the AuthZEN host-header poisoning vulnerability now

    The AuthZEN well-known discovery endpoint was returning URLs built from the request's Host header. An attacker could poison this to redirect clients to a malicious endpoint. If you expose the AuthZEN discovery metadata publicly, upgrade to v1.14.1 immediately. No config change needed — the fix is automatic once upgraded, as long as authzen.baseURL is correctly set in your server config.

  • securityAudit your image builds if you ship the OpenFGA test binary

    The github.com/docker/docker package carries known CVEs and was only used in test code. Production builds are unaffected, but if your pipeline somehow includes test binaries or vendor directories in container images, verify they no longer include the vulnerable package after upgrading.

  • enhancementSet an explicit server shutdown timeout for Kubernetes workloads

    The new shutdown timeout config option lets you control how long OpenFGA waits to drain in-flight requests before exiting. Without this, abrupt shutdowns can cause request errors during pod restarts. Set this to slightly less than your Kubernetes terminationGracePeriodSeconds to ensure clean handoff.

主な変更 (5)
  • Security fix: AuthZEN discovery metadata now uses configured baseURL instead of request-supplied host headers, closing a host-header poisoning attack vector
  • Removed vulnerable github.com/docker/docker test dependency, replaced with Moby client & API
  • Configurable server shutdown timeout added — useful for graceful drain in Kubernetes environments
  • ListObjects heap allocations reduced, yielding minor but real latency improvements
  • Cache key generation faster by dropping fmt usage and extending control-character sanitization to tuples, conditions, and context
原文

Falco

Security2026年4月9日

Falco 0.43.1 is a minimal patch release bumping libs to 0.23.2 and the container plugin to 0.6.4. No functional changes, no bug fixes — purely a dependency update.

  • enhancementUpdate if you care about container plugin fixes in 0.6.4

    This release exists primarily to ship the container plugin 0.6.4 update alongside libs 0.23.2. If your environment relies on container metadata enrichment in Falco rules, check the container plugin 0.6.4 changelog for fixes that may affect your alerting fidelity. Otherwise, upgrading from 0.43.0 is low risk and low urgency — treat it as a routine dependency bump.

主な変更 (4)
  • libs bumped from previous version to 0.23.2
  • container plugin bumped to 0.6.4
  • driver remains at 9.1.0+driver
  • single merged PR, all user-facing
原文

SPIRE

Security2026年4月8日

SPIRE v1.14.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

SPIRE

Security2026年4月8日

SPIRE v1.13.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Keycloak

Security2026年4月8日

Keycloak 26.6.0 graduates several preview features to fully supported — JWT Authorization Grant, Federated Client Auth, Workflows, and zero-downtime patch releases — while fixing a notable set of security bugs across UMA, SCIM, and Organizations.

  • securityPatch SCIM and UMA vulnerabilities immediately

    Two separate SCIM bugs allowed IDOR-style resource modification and authorization bypass in group management. UMA permission grant accepted expired ID tokens and tokens issued to other clients. These are fixed in 26.6.0. If you use SCIM or UMA, upgrade now — no config change needed, but verify your SCIM plugin/extension is compatible with the new validation.

  • breakingSwitch to KCRAW_ prefix if secrets contain $ characters

    If you inject passwords or secrets via environment variables and they contain $ characters (e.g., from a secrets manager), the KC_ prefix silently mangles them via SmallRye expression evaluation. Use KCRAW_<KEY> instead of KC_<KEY> to preserve literal values. Audit your current env var injection before upgrading — any secrets with ${ or $$ patterns may have been silently broken in prior versions.

  • enhancementEnable zero-downtime rolling updates in your Operator deployments

    Zero-downtime patch releases are now on by default. If you run Keycloak via the Operator, explicitly set the update strategy to Auto to benefit. Also review the new graceful HTTP shutdown defaults (1s delay, 1s timeout) — adjust these upward if your reverse proxy takes longer to drain connections, especially in non-Kubernetes setups with longer-lived connections.

主な変更 (7)
  • JWT Authorization Grant (RFC 7523) and Federated Client Authentication are now GA, enabling external-to-internal token exchange without managing per-client secrets
  • Zero-downtime patch releases are now enabled by default; Operator users should set update strategy to Auto
  • New KCRAW_ environment variable prefix prevents SmallRye from mangling passwords containing $ characters — addresses a silent data-corruption bug
  • UMA permission grant now rejects expired ID tokens and tokens issued to different clients (security fixes #46716, #46717)
  • SCIM IDOR bug fixed: PUT endpoint no longer allows resource modification via body ID override (#46658); SCIM authorization bypass in group management also patched (#47536)
  • OTP and password brute-force protection separated by default to prevent OTP bypass attacks (#46164)
  • Keycloak and KeycloakRealmImport CRDs promoted to v2beta1
原文

OpenFGA

Security2026年4月3日

v1.14.0 fixes a potential deadlock in ListObjects, improves intersection algorithm performance, and adds BatchCheck caching — plus a SQL serialization bug fix that affects PostgreSQL users.

  • securityPostgreSQL users: apply the SQL serialization fix

    The TupleOperation serialization and pgx.ErrNoRows fixes could cause silent data inconsistencies or incorrect error handling in PostgreSQL deployments. If you're running OpenFGA on Postgres, this fix alone justifies upgrading. Verify your tuple write/read behavior post-upgrade.

  • breakingReview CVE-2026-33729 and upgrade immediately

    The changelog explicitly references CVE-2026-33729. The release notes don't detail the full scope, but a CVE update in a patch/minor release demands immediate attention. Upgrade to v1.14.0 now and audit your deployment's exposure before the CVE details become widely known.

  • enhancementListObjects deadlock fix is critical for high-concurrency workloads

    A deadlock in the ListObjects pipeline is the kind of bug that only shows up under real production load. If you use ListObjects extensively — especially with concurrent callers — this fix is essential. After upgrading, stress-test ListObjects under your typical concurrency patterns to confirm stability.

  • enhancementBatchCheck caching reduces authorization latency at scale

    If your application calls BatchCheck repeatedly with overlapping tuples or conditions, the new caching layer will cut latency and backend load. No configuration changes are mentioned, so the benefit should be automatic — but monitor cache behavior through the new tuple iterator query stats to validate the improvement in your environment.

主な変更 (5)
  • Fixed a potential deadlock in the ListObjects pipeline algorithm, improving reliability under concurrent load
  • Intersection algorithm rewritten for lower latency and reduced memory usage
  • BatchCheck results now cached, reducing redundant authorization checks
  • SQL TupleOperation serialization bug and pgx.ErrNoRows error handling fixed for PostgreSQL backends
  • Tuple iterator query stats added for better observability into database query behavior
原文

Keycloak

Security2026年4月2日

26.5.7 is a critical security release patching 7 CVEs, including privilege escalation, redirect URI bypass, and unauthorized cross-user permission grants. Upgrade immediately.

  • securityPatch now — multiple high-severity CVEs in this release

    Seven CVEs are fixed here, spanning privilege escalation (CVE-2026-4282), redirect URI bypass (CVE-2026-3872), cross-user permission injection (CVE-2026-4636), and an unauthenticated DoS via scope processing (CVE-2026-4634). These aren't theoretical — attackers with basic access or even anonymous access could exploit several of these. Upgrade to 26.5.7 as fast as your change process allows. If you use UMA policies or expose the Admin REST API, treat this as an emergency patch.

  • securityAudit Admin REST API access and UMA policy configurations post-upgrade

    CVE-2025-14083 (Admin API info disclosure) and CVE-2026-4636 (UMA cross-user permission grants) suggest that access controls around admin and UMA endpoints were not properly enforced. After upgrading, review which clients and service accounts have Admin REST API access, and audit your UMA resource/policy definitions for unexpected grants. Don't assume the patch alone closes the exposure if misconfigured principals already exploited these paths.

  • enhancementQuarkus upgraded to 3.27.3 — monitor for runtime behavior changes

    The Quarkus runtime bump also pulls in a fix for CVE-2026-1002 (vertx-core static handler cache manipulation causing DoS on static files). If you serve static content through Keycloak or have customized themes, verify those assets load correctly after upgrade. Quarkus minor upgrades occasionally shift default configurations, so a smoke test on your login flows is worth running.

主な変更 (5)
  • CVE-2025-14083: Admin REST API improper access control leaks information to unauthorized callers
  • CVE-2026-4282: Forged authorization codes possible due to SingleUseObjectProvider isolation flaw — privilege escalation risk
  • CVE-2026-3872: Redirect URI validation bypassed via ..;/ path traversal in the OIDC auth endpoint
  • CVE-2026-4636: UMA policy resource injection allows unauthorized cross-user permission grants
  • CVE-2026-4634: Application-level DoS via scope processing — no authentication required to trigger
原文

cert-manager

Security2026年3月27日

v1.20.1 is a targeted patch fixing an OpenShift upgrade blocker, a Gateway API duplicate parentRef bug, and a scanner-flagged gRPC dependency bump.

  • securitygRPC bump is cosmetic — but clear your scanner alerts

    The gRPC dependency was bumped purely to satisfy vulnerability scanners. The reported CVE does not affect cert-manager's code paths. No runtime risk, but if your supply chain tooling (Trivy, Grype, etc.) was flagging v1.20.0, this update will resolve those alerts. Good reason to upgrade, but no urgency beyond scanner hygiene.

  • breakingOpenShift users: upgrade to v1.20.1, skip v1.20.0

    v1.20.0 introduced a regression where the order controller lacked the necessary finalizer RBAC, breaking upgrades on OpenShift due to stricter RBAC enforcement. If you're on OpenShift and held back from v1.20.0, go straight to v1.20.1. If you somehow applied v1.20.0, verify that the ClusterRole for the order controller now includes the issuer finalizer permissions after upgrading.

  • enhancementGateway API users: fix parentRef duplication before it causes routing issues

    If you're using Gateway API integration with cert-manager and specify parent references in both the issuer config and via annotations, v1.20.0 would generate duplicate parentRef entries. This can cause unpredictable behavior depending on your gateway implementation. Upgrading to v1.20.1 resolves this — review any existing certificates using both mechanisms to confirm they're clean post-upgrade.

主な変更 (3)
  • Fixed missing issuer finalizer RBAC on the order controller — OpenShift users were blocked from upgrading to v1.20.0
  • Fixed duplicate parentRef entries in Gateway API when both issuer config and annotations specify parent references
  • Bumped google.golang.org/grpc to silence scanner alerts (no actual exploitable vulnerability in cert-manager's usage)
原文

Open Policy Agent (OPA)

Security2026年3月26日

OPA v1.15.0 adds a pluggable logging system with file rotation, breaks custom HTTPAuthPlugin implementations, and extends AWS signing to support web identity credentials.

  • breakingAudit and fix custom HTTPAuthPlugin implementations before upgrading

    If you've built a custom HTTPAuthPlugin, NewClient() is now called once per Client instance, not per request. Any per-request logic (counters, transport wrapping, logging side effects) sitting in NewClient() will now execute exactly once and silently produce wrong behavior. Before upgrading, audit your plugin and move all per-request logic to Prepare(). OPA's own built-in plugins are already updated, so this only affects teams with custom plugins.

  • enhancementAdopt the file logger plugin to consolidate OPA log management

    The new file_logger plugin writes structured JSON logs with automatic rotation, covering both runtime and decision logs through a single configuration block under server.logger_plugin. If you're currently tailing OPA stdout or piping to an external log shipper, switching to the file logger reduces operational complexity and gives you rotation out of the box. Decision log plugin output via the same logger plugin is a clean alternative to the HTTP bundle endpoint for low-latency environments.

  • enhancementEnable web identity credentials for AWS-backed OPA deployments on EKS

    OPA running on EKS with IRSA (IAM Roles for Service Accounts) can now use Web Identity tokens directly for Assume Role credential flows in AWS Signing. If you've been working around this with instance profile credentials or manual token injection, you can now configure this natively. Update your REST plugin AWS signing config to use the web identity provider and align with standard EKS IAM patterns.

主な変更 (5)
  • New logger plugin interface (based on Go's slog.Handler) lets you route OPA runtime and decision logs to custom destinations, including a built-in file logger with rotation via lumberjack
  • Breaking: HTTPAuthPlugin.NewClient() is now called once and cached — per-request logic there will silently stop working; move it to Prepare()
  • AWS Signing now supports Web Identity (Service Account) credentials for Assume Role flows
  • TLS client cert re-reads are now configurable via cert_reread_interval_seconds, with content hashing to skip unnecessary re-parses
  • All TLS configurations now inherit server-level minimum version and ciphersuite settings — previously per-client TLS configs could diverge
原文

OpenFGA

Security2026年3月24日

OpenFGA v1.13.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenFGA

Security2026年3月23日

OpenFGA v1.13.0 ships AuthZen v1.0 support, separates Check v1/v2 caches, and hardens the resolver pipeline against panics.

  • securityUpgrade to stop resolver panics from taking down the server

    Unhandled panics in the pipeline base resolver previously had the potential to crash the OpenFGA process entirely. The fix converts these to returned errors, keeping the server running. If you've seen unexpected OpenFGA restarts under complex authorization graph evaluations, this is likely why. Upgrade promptly — this is a reliability fix with meaningful availability implications.

  • breakingSeparate Check v1/v2 caches may change cache hit behavior — review your cache sizing

    Previously, Check v1 and v2 shared a single cache, which could lead to cross-contamination but also inadvertent cache hits. Now they're isolated. If you're running both API versions concurrently, your effective cache hit rate may drop and memory usage could shift. Revisit your cache capacity configuration after upgrading and monitor cache hit ratios in your observability stack.

  • enhancementEvaluate AuthZen v1.0 for cross-system authorization interop

    AuthZen v1.0 is the emerging standard for authorization API interoperability across CNCF and broader ecosystem tools. If you're integrating OpenFGA with other policy engines or building a multi-system authz layer, test the new AuthZen endpoint now. Early adoption means your integration patterns align with where the ecosystem is heading rather than needing a retrofit later.

主な変更 (4)
  • AuthZen v1.0 standard implemented — OpenFGA now speaks the CNCF authorization interoperability spec
  • Separate cache layers for Check v1 and Check v2 APIs, preventing cross-version cache pollution
  • Panics in the pipeline's base resolver are now caught and returned as errors instead of crashing the process
  • List-objects span aggregation improved — message stats per sender now roll up into a single trace span for cleaner observability
原文

SPIRE

Security2026年3月19日

SPIRE v1.14.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenFGA

Security2026年3月19日

v1.12.1 is a focused maintenance release fixing OTLP endpoint URI parsing and improving ListObjects pipeline internals with Go native channels.

  • breakingOTLP https:// scheme now forces TLS regardless of your config flag

    If you set OTEL_EXPORTER_OTLP_ENDPOINT with an https:// scheme, TLS will be enabled even if trace.otlp.tls.enabled is false. Audit your observability configs before upgrading — any environment using https:// endpoints with TLS explicitly disabled will now have TLS enabled. This is almost certainly the correct behavior, but verify your collector setup accepts TLS connections.

  • enhancementOTLP endpoint URIs with schemes finally work — clean up your workarounds

    Previously, passing a full URI like http://host:4317 to OTEL_EXPORTER_OTLP_ENDPOINT would break because the scheme wasn't stripped before reaching the gRPC exporter. If you've been working around this by omitting the scheme, you can now use standard URI formats. Update your deployment configs and remove any manual scheme-stripping logic.

  • enhancementListObjects performance improvement — no action needed, just upgrade

    Replacing the custom Pipe implementation with Go native channels reduces internal complexity and can improve throughput for ListObjects calls under concurrent load. No API changes, no config changes needed. The tuple validation refactor compounds this. If you're running OpenFGA at scale with heavy ListObjects usage, this patch is worth taking.

主な変更 (4)
  • ListObjects pipeline now uses Go native channels instead of a custom Pipe implementation — cleaner concurrency, better debuggability
  • Tuple validation and manipulation functions refactored for better performance under load
  • grpc-go bumped to v1.79.3 and grpc-health-probe to v0.4.47 — dependency hygiene
  • OTEL_EXPORTER_OTLP_ENDPOINT now correctly handles URIs with schemes like http:// or https://, stripping the scheme before passing to gRPC exporter
原文

Keycloak

Security2026年3月19日

Keycloak 26.5.6 is a critical security release patching 8 CVEs spanning SSRF, token reuse, IDOR, privilege escalation, and multiple information disclosure vulnerabilities. Upgrade immediately.

  • securityPatch all 8 CVEs — upgrade to 26.5.6 now

    This release fixes eight CVEs covering SSRF, token replay, privilege escalation, IDOR, and multiple information disclosure paths. Three of these (SSRF via jwks_uri, privilege escalation via manage-clients, and auth session contamination) are particularly dangerous in multi-tenant or public-facing deployments. There is no workaround — upgrade is the only fix. If you're on any 26.x version, treat this as an emergency patch.

  • securityAudit manage-clients grants and OIDC Dynamic Client Registration usage

    CVE-2026-3121 (privilege escalation via manage-clients) and CVE-2026-1180 (SSRF via jwks_uri in dynamic client registration) both require reviewing your current permission grants and feature flags. After upgrading, audit which users/service accounts hold manage-clients. If you don't use OIDC Dynamic Client Registration, disable it at the realm level to eliminate the SSRF attack surface entirely.

  • breakingVerify Operator DB config and multi-realm startup behavior post-upgrade

    The 26.5.0 Operator regression for DB targetServerType=primary (affecting master-replica failover) and the O(N²) startup scan introduced in 26.5.4 are both fixed here. If you hit either of these bugs, validate your DB connection failover behavior and startup times after upgrading. Large deployments with many realms should see noticeably faster restarts.

主な変更 (6)
  • CVE-2026-1180: Blind SSRF via OIDC Dynamic Client Registration jwks_uri — attackers can probe internal network endpoints
  • CVE-2026-1035: Refresh token reuse bypass via TOCTOU race condition — token replay attacks become possible
  • CVE-2026-3121: Privilege escalation via manage-clients permission — low-privilege users may gain elevated access
  • CVE-2025-14777: IDOR in realm client create/delete — unauthorized cross-realm client manipulation
  • Bug fix: AUTH_SESSION_ID cookie reuse caused cross-user session contamination on re-authentication — a serious data isolation issue
  • Bug fix: O(N²) startup regression with many realms introduced in 26.5.4 is resolved — large deployments were severely impacted
原文

Cloud Custodian

Security2026年3月18日

A broad feature release adding 12+ new AWS resources, new upgrade-available filters for EKS/Elasticsearch, Azure Entra ID resources, and GCP Vertex AI support. Several bug fixes address S3 cache staleness, GuardDuty validation, and IAM user errors.

  • enhancementAudit EKS and Elasticsearch upgrade readiness now

    The new upgrade-available filter for both EKS and Elasticsearch means you can write policies that flag clusters where a newer version exists. If you've been tracking version compliance manually, replace that with a c7n policy using the upgrade-available filter and route matches to notify or tag. Good timing before any end-of-support deadlines.

  • enhancementAdd whitelist_patterns to cross-account filters using deleted principals

    If your cross-account policies flag deleted IAM principals as violations, you've likely been dealing with false positives. The new whitelist_patterns parameter on the cross-account filter lets you skip ARN patterns for known-deleted or transient principals. Review your existing cross-account policies and add patterns for any deleted accounts or service-linked roles you see repeated in output.

  • enhancementAudit Azure Entra ID security posture with new resource types

    Four new Entra ID resource types — conditional-access-policy, authorization-policy, named-location, security-defaults — are now queryable. If you manage Azure security baselines, write policies to check that security defaults are enabled and conditional access policies match your org's requirements. This fills a gap that previously required separate tooling.

主な変更 (5)
  • New upgrade-available filters for EKS and Elasticsearch let you proactively find clusters running outdated versions
  • 12 new AWS resource types added: savings-plan, vpc-lattice-listener, directconnect-gateway, bedrock-inference-profile, transfer-connector, and more
  • Azure Entra ID resources now manageable: conditional-access-policy, authorization-policy, named-location, and security-defaults
  • GCP gains Vertex AI resources (endpoint, batch-prediction-job) and expanded set-labels support across BigQuery, BigTable, KMS, and GCS buckets
  • cross-account filter gets whitelist_patterns to skip deleted IAM principals, and org-id + wildcard joint conditions now handled correctly
原文

SPIRE

Security2026年3月18日

v1.14.3 patches a TLS session resumption bypass that could skip certificate chain validation, plus fixes node cache rebuild and several reliability issues in AWS and federation scenarios.

  • securityUpgrade immediately to fix TLS session ticket bypass

    TLS session resumption on SPIRE Server's TCP endpoint was allowing reconnecting clients to skip SPIFFE certificate chain validation — meaning a client with an expired or revoked cert could potentially reconnect without re-validation against the current trust bundle. This is a meaningful trust boundary violation. Upgrade to v1.14.3 now. No config change needed; the fix disables session tickets server-side automatically.

  • securitySelector data no longer leaks into agent logs

    Selectors can encode workload identity details (e.g., Kubernetes pod labels, Unix UIDs, AWS metadata) that you may not want in logs. Previously, these were logged at agent level. After upgrading, audit your existing log pipelines and retention policies — any historical logs may still contain this data.

  • breakingPQC users must migrate from Kyber draft to X25519MLKEM768

    If you've enabled RequirePQKEM TLS policy, the underlying algorithm changes from the draft x25519Kyber768Draft00 to the standardized X25519MLKEM768. Both peers must be running v1.14.3+ before this takes effect, otherwise TLS handshakes will fail. Plan a coordinated upgrade of agents and server if you're using this policy.

  • enhancementNode cache rebuild fix is critical for long-running agents

    The periodic node cache rebuild was executing only once after startup instead of on its configured interval. Over time, agents in environments with frequent workload changes would serve stale cache data. This is silently fixed in v1.14.3 — no config changes needed, but you should upgrade agents promptly, especially in dynamic environments.

主な変更 (5)
  • TLS session ticket resumption on server TCP endpoints disabled — was allowing connections to bypass SPIFFE certificate chain validation against the current trust bundle
  • Selectors no longer logged at agent level to prevent sensitive info leakage
  • RequirePQKEM policy updated from draft x25519Kyber768Draft00 to standardized X25519MLKEM768
  • Node cache periodic rebuild was silently running only once — now correctly loops at configured interval
  • ReadOnlyEntry.Clone() bug fixed: Admin boolean was bleeding into Downstream field, corrupting authorization metadata for GetAuthorizedEntries/SyncAuthorizedEntries clients
原文

Kubescape

Security2026年3月17日

Kubescape v4.0.3 is a small patch release adding a --grype-db-url flag for offline/airgapped Grype database usage, plus a bug fix for missing host errors and dependency bumps.

  • securitygo-git updated to v5.16.5 — pull this upgrade promptly

    go-git patch releases frequently address vulnerabilities in git protocol parsing. Review the go-git v5.16.5 changelog to confirm whether any CVEs are addressed, and prioritize this upgrade if your Kubescape usage involves scanning git repositories or if you embed Kubescape as a library.

  • breakingMissing host now returns an error — check your error handling

    Previously, a missing host in scan targets silently returned nil instead of an error. If your pipelines or scripts were treating a zero-exit-code as success in these cases, they may now surface failures they were previously ignoring. Test your scan workflows after upgrading to make sure error handling behaves as expected.

  • enhancementUse --grype-db-url for airgapped or private mirror setups

    If you run Kubescape in environments without direct internet access, the new --grype-db-url flag lets you point image scans at an internal Grype DB mirror. Set this in your CI pipelines or operator configs now rather than patching environment variables or workarounds you may have hacked together previously.

主な変更 (5)
  • New --grype-db-url flag on 'kubescape scan' lets you override the default Grype vulnerability database URL
  • Fixed a bug where a missing host did not return a proper non-nil error, which could silently swallow scan failures
  • go-git bumped to v5.16.5 (likely security/bug fixes in git operations)
  • OpenTelemetry SDK bumped to 1.40.0
  • Added debug logging for scanInfo.ListingURL to aid troubleshooting Grype DB fetches
原文

OpenFGA

Security2026年3月13日

OpenFGA v1.12.0 improves operational reliability with automatic TLS certificate rotation, enhanced input validation, and critical race condition fixes.

  • securityUpgrade for Go stdlib vulnerability fixes

    This release addresses two Go standard library vulnerabilities (GO-2026-4603 and GO-2026-4601). Plan your upgrade to eliminate these security risks in production deployments.

  • enhancementConfigure gRPC message size limits

    Review your current message sizes and set appropriate limits using the new configuration option to prevent resource exhaustion attacks and improve system stability.

  • enhancementBenefit from automatic certificate rotation

    If you're using cert-manager or similar certificate rotation tools, this release eliminates connection failures during certificate updates. Test your certificate rotation process after upgrading to verify the improvement.

主な変更 (5)
  • gRPC message size limits now configurable for better resource control
  • HTTP gateway automatically handles TLS certificate rotation without connection failures
  • Tuple validation rejects unicode control characters and null bytes for security
  • Race condition in check reducers fixed to prevent non-deterministic execution
  • Cache metrics corrected to prevent indefinite upward drift on overwrites
原文

cert-manager

Security2026年3月10日

cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

主な変更 (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
原文

Open Policy Agent (OPA)

Security2026年3月9日

OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

主な変更 (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
原文

Keycloak

Security2026年3月5日

Keycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.

  • securityImmediate upgrade required for SAML users

    These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.

  • securityAudit SAML broker configurations

    After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.

主な変更 (4)
  • Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
  • Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
  • Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
  • Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability
原文

SPIRE

Security2026年3月3日

SPIRE v1.14.2 addresses two critical security vulnerabilities in server node attestor plugins that could enable SSRF attacks and CPU exhaustion.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two security issues affect SPIRE servers using http_challenge or x509pop attestors. The SSRF vulnerability lets attackers redirect servers to unauthorized domains and extract response data. The x509pop DoS vulnerability allows CPU exhaustion attacks. Update to v1.14.2 immediately if you use either attestor plugin.

主な変更 (3)
  • Fixed SSRF vulnerability in http_challenge server node attestor plugin
  • Resolved CPU exhaustion issue in x509pop server node attestor plugin
  • Both vulnerabilities could be exploited by attackers during node attestation
原文

SPIRE

Security2026年3月3日

SPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.

  • securityReview node attestor plugin configurations

    If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.

主な変更 (4)
  • Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
  • Patched CPU exhaustion attack vector in x509pop server node attestor plugin
  • Both vulnerabilities affected the node attestation process used for workload identity verification
  • Security fixes address potential unauthorized access and denial of service scenarios
原文

Open Policy Agent (OPA)

Security2026年2月26日

OPA v1.14.0 delivers significant rule indexing improvements for variable assignments and 'x in {...}' expressions, along with H2C Unix domain socket support, enhanced testing output, and various performance optimizations.

  • enhancementOptimize policy performance with improved rule indexing

    The enhanced rule indexing for variable assignments and membership expressions will automatically improve performance for policies using patterns like 'x := input.role; x in {"admin", "user"}'. Review your existing policies to identify similar patterns that will benefit from this optimization without requiring code changes.

  • enhancementEnable H2C with Unix domain sockets for secure local communication

    If you're running OPA in containerized environments or need secure local IPC, use the new '--h2c' flag with Unix domain sockets. This reduces network overhead and improves security for local service-to-service communication patterns.

  • enhancementLeverage custom storage backend API for specialized use cases

    The new custom storage backend registration API enables integration with specialized storage systems. Evaluate if your current storage requirements could benefit from custom backends, particularly for high-performance or compliance-specific storage needs.

主な変更 (6)
  • Enhanced rule indexing for variable assignments and 'x in {...}' expressions improves query performance
  • Added H2C protocol support with Unix domain sockets for 'opa run' command
  • New line number display in test output for better debugging experience
  • Custom storage backend registration API for extensibility
  • Fixed race condition in plugin trigger management
  • Performance improvements in array unification and JSON patch operations
原文

cert-manager

Security2026年2月24日

cert-manager v1.18.6 is a security-focused patch release primarily addressing CVE-2025-68121 through Go runtime updates, with no functional changes to certificate management operations.

  • securityUpdate to v1.18.6 for CVE-2025-68121 mitigation

    This release patches a Go runtime vulnerability (CVE-2025-68121) that could affect cert-manager security. Plan an upgrade within your standard maintenance window as this is a drop-in replacement with no configuration changes required. Test in non-production first, then roll out to production clusters.

  • enhancementSafe upgrade path for production workloads

    Since this is purely a security patch with no functional changes, you can upgrade with confidence using your existing deployment processes. The update maintains full backward compatibility, making it suitable for automated deployment pipelines without additional testing overhead.

主な変更 (4)
  • Go runtime updated to address CVE-2025-68121 security vulnerability
  • CVE-2026-24051 left unpatched as it only affects macOS environments
  • Pure security patch with no breaking changes or new features
  • Maintains compatibility with existing cert-manager deployments
原文

cert-manager

Security2026年2月24日

cert-manager v1.19.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenFGA

Security2026年2月23日

OpenFGA v1.11.6 enables ListObjects pipeline by default for improved performance, upgrades gRPC client implementation, and addresses a security vulnerability in grpc-health-probe.

  • securityUpdate deployments using grpc-health-probe

    If you're using grpc-health-probe for health checks in your OpenFGA deployments, this update addresses CVE-2025-68121. Verify your container images are pulling the latest version and update any standalone grpc-health-probe binaries.

  • enhancementTest ListObjects pipeline performance impact

    The new default ListObjects pipeline algorithm may improve query performance but could change behavior. Monitor your ListObjects API calls after upgrade and be prepared to disable it with listObjects-pipeline-enabled=false if you encounter issues.

主な変更 (3)
  • ListObjects pipeline algorithm now enabled by default (can be disabled with listObjects-pipeline-enabled=false)
  • Migration from deprecated grpc.DialContext to grpc.NewClient for grpc-gateway client
  • Security update: grpc-health-probe bumped to v0.4.45 addressing CVE-2025-68121
原文

Keycloak

Security2026年2月20日

Keycloak 26.5.4 is a critical security patch release addressing 5 CVEs including SAML vulnerabilities and authorization bypass issues. Includes performance improvements and cluster stability fixes.

  • securityImmediate upgrade required for multiple CVEs

    This release fixes 5 CVEs including authorization bypass and DoS vulnerabilities. Review your SAML configurations and Docker registry protocol usage. Schedule immediate upgrade during next maintenance window, especially if using SAML brokering or have Docker registry integrations.

  • securityVerify client secret exposure in configurations

    CVE fix addresses client secret disclosure on unauthenticated endpoints. After upgrade, audit your client configurations and rotate any potentially exposed secrets. Review access logs for unauthorized config endpoint access.

  • enhancementOptimize cluster performance post-upgrade

    New session ID key affinity and improved caching will enhance performance in clustered deployments. Monitor login page response times and cluster stability after upgrade - you should see reduced database queries and better load distribution.

主な変更 (5)
  • Fixed 5 critical CVEs including SAML response delays, authorization header parsing bypass, and DoS vulnerabilities
  • Resolved client secret information disclosure on unauthenticated config endpoints
  • Enhanced session ID key affinity mechanism for improved load balancing
  • Fixed cluster rejoining issues with 3+ node configurations using jdbc-ping
  • Improved database query caching performance on login page loads
原文

Kyverno

Security2026年2月19日

Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

主な変更 (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
原文

Notary Project

Security2025年4月27日

Notation v1.3.2 is a targeted security patch backported to the 1.3 branch, addressing CVE-2025-30204 in the golang-jwt dependency.

  • securityPatch CVE-2025-30204 by upgrading to v1.3.2 now

    CVE-2025-30204 is a vulnerability in golang-jwt that can allow attackers to bypass JWT validation. If you're running any 1.3.x release of Notation, upgrade to v1.3.2 immediately — this is the sole reason this patch release exists. If you're on v1.4+, verify your version already includes the fix before assuming you're safe.

  • enhancementUse this release as a low-risk upgrade path if you're pinned to 1.3

    Teams that can't yet move to the latest major line can take v1.3.2 without worrying about behavioral changes — the diff is narrow and confined to the JWT dependency bump plus minor cleanups. It's a safe, no-surprises drop-in for any 1.3.x deployment.

主な変更 (3)
  • CVE-2025-30204 patched via golang-jwt dependency update
  • Backport from main branch to release-1.3 for users not yet on v1.4+
  • Minor code and documentation cleanups alongside the security fix
原文
← 新しい