Boundary
Boundary 0.20.0 release notes
GA date: September 25, 2025
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| Error when sending requests to aliases using HCP Boundary | A known issue that was caused by the way default grants were previously configured in HCP Boundary could cause you to receive 500 errors when you attempted to list resolvable aliases. The issue has been resolved. Any clusters that you created on or after April 26, 2025 should not have the issue. You can add grants to resolve the error for any older clusters that exhibit this behavior. Learn more: Known issues and breaking changes |
| Boundary client version number realignment | Previously, the Boundary Client Agent and installer used a numbering scheme that was inconsistent with Boundary's release numbers. This inconsistency could make it difficult to understand version support and compatibility. On May 27, 2025 new versions of the Boundary Client Agent and installer were released with a new numbering scheme that more closely follows Boundary's release numbers. Those versions were released as 0.19.5 to match the major Boundary version 0.19.x. Going forward, the Client Agent and installer will use the same major number as the current Boundary release. Any patches or updates will be reflected in the minor number. Learn more about control plane and client compatibility: Boundary Enterprise supported versions policy |
| Redundant grant scopes are no longer permitted | You may have redundant grant scopes if you applied a grant to a scope and the scope also inherited the grant from the this, children, or descendants options. As of Boundary version 0.19.3, redundant grant scopes are no longer permitted.When you upgrade a Boundary Enterprise or Community edition cluster to version 0.19.3 or later, the migration will fail with a message if the database contains any redundant grant scopes. The migration tool provides a command that automatically removes any redundant grant scopes so that you can proceed with the upgrade. For HCP Boundary users, the redundant grant scopes are automatically removed as part of the migration process. Learn more about removing redundant grant scopes and upgrading to version 0.19.3 or later: Known issues and breaking changes |
New features
| Feature | Update | Description |
|---|---|---|
| RDP targets | GA | Boundary now supports a new RDP target type. RDP targets let you use injected credentials to authenticate an RDP session between the client and end host in Windows environments that use Active Directory authentication. RDP targets use the new username password domain credential type. Learn more: Target types and targets create command. |
| Username password domain credentials | GA | There is a new username password domain credential type for Windows environments that use Active Directory authentication. You can use username password domain credentials for credential injection when you connect to an RDP target. Learn more: Credential management, Credentials in Boundary, and credentials create command. |
| RDP credential injection | BETA | Boundary now supports RDP credential injection as a beta feature. When users connect to RDP targets, Boundary can automatically inject credentials into the RDP session on behalf of the user. The initial beta release supports static credentials from Boundary's built-in static credential store or Vault's KV store. Refer to the documentation for known limitations, configuration requirements, and Windows compatibility. Learn more: RDP credential injection compatibility. |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget. You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wgetIf your workflow depends on having curl in the image, you can dynamically install it using apk. Refer to the following commands for examples of using apk to install curl:<CONTAINER-ID> apk add curlor kubectl exec -ti <NAME> -- apk add curl |
| 0.18.x+ | Boundary version 0.18.x and later CLI is unable to establish connections using the boundary connect command | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>Learn more: Go issue #70047 and Go 1.23 Release Notes |