Boundary
Boundary 0.21.0 release notes
GA date: December 11, 2025
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| Error when sending requests to aliases using HCP Boundary | A known issue that was caused by the way default grants were previously configured in HCP Boundary could cause you to receive 500 errors when you attempted to list resolvable aliases. The issue has been resolved. Any clusters that you created on or after April 26, 2025 should not have the issue. You can add grants to resolve the error for any older clusters that exhibit this behavior. Learn more: Known issues and breaking changes |
| Boundary client version number realignment | Previously, the Boundary Client Agent and installer used a numbering scheme that was inconsistent with Boundary's release numbers. This inconsistency could make it difficult to understand version support and compatibility. On May 27, 2025 new versions of the Boundary Client Agent and installer were released with a new numbering scheme that more closely follows Boundary's release numbers. Those versions were released as 0.19.5 to match the major Boundary version 0.19.x. Going forward, the Client Agent and installer will use the same major number as the current Boundary release. Any patches or updates will be reflected in the minor number. Learn more about control plane and client compatibility: Boundary Enterprise supported versions policy |
| Redundant grant scopes are no longer permitted | You may have redundant grant scopes if you applied a grant to a scope and the scope also inherited the grant from the this, children, or descendants options. As of Boundary version 0.19.3, redundant grant scopes are no longer permitted.When you upgrade a Boundary Enterprise or Community edition cluster to version 0.19.3 or later, the migration will fail with a message if the database contains any redundant grant scopes. The migration tool provides a command that automatically removes any redundant grant scopes so that you can proceed with the upgrade. For HCP Boundary users, the redundant grant scopes are automatically removed as part of the migration process. Learn more about removing redundant grant scopes and upgrading to version 0.19.3 or later: Known issues and breaking changes |
| Client Agent no longer requires IPv6 | Previously, the Client Agent required you to enable both IPv4 and IPv6 protocols. Beginning with version 0.20.0, the Client Agent will no longer require IPv6. Learn more: Boundary Client Agent |
New features
| Feature | Update | Description |
|---|---|---|
| RDP credential injection | GA | The RDP credential injection feature is now generally available to HCP Boundary and Boundary Enterprise users. When users connect to RDP targets, Boundary can automatically inject credentials into the RDP session on behalf of the user. Learn more: Configure targets with credential injection, and RDP credential injection compatibility matrix. |
| Vault LDAP credential libraries | GA | You can now create credential libraries using the Vault LDAP secrets engine. Learn more: Domain model - Credential libraries, credential-libraries create, and credential-libraries update. |
| SSH host validation | GA | A new configuration flag, ssh_known_hosts_path, lets you verify SSH hosts using the system's known hosts file. If you set the flag, Boundary workers will reference the known hosts file at startup. If the worker is not a known host, or if there is a mismatch, Boundary produces an error.Learn more: SSH host key validation, Workers and worker stanza. |
| Inactive timeout for session connections | GA | A new argument, inactive-timeout=<duration>, was added to the boundary connect command. It lets you configure an amount of time between connections before Boundary closes inactive sessions.Learn more: connect. |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget. You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wgetIf your workflow depends on having curl in the image, you can dynamically install it using apk. Refer to the following commands for examples of using apk to install curl:<CONTAINER-ID> apk add curlor kubectl exec -ti <NAME> -- apk add curl |
| 0.18.x+ | Boundary version 0.18.x and later CLI is unable to establish connections using the boundary connect command | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>Learn more: Go issue #70047 and Go 1.23 Release Notes |