Boundary change tracker
Before upgrading, we recommend that you review the following summary of functional changes and known issues to determine the likely impact to your Boundary deployment.
Functional changes affect how Boundary works including new requirements, defaults, behavior, and breaking changes. In some cases, we recommend specific actions before or after upgrading to mitigate the impact of a functional change.
Unresolved known issues may have suggested workarounds or mitigation strategies that you should consider before upgrading.
Changes for 0.21.x
Boundary 0.21.0 GA date: December 11, 2025
For more information, refer to the Boundary 0.21.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.1.0 | Upgrade | Community, Enterprise | CVE-2026-7776 |
| 0.17.1 | Workaround | All | Docker image no longer contains curl |
| 0.18.0 | Workaround | All | Go TLS handshake behavior blocks connections |
| 0.19.0 | Upgrade | All | NTLM challenge can panic on malformed payload |
| 0.19.0 | Upgrade | All | SQL injection via placeholder confusion |
| 0.21.0 | Upgrade | All | CVE-2025-61730, CVE-2025-58181, CVE-2025-47914 |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.21.0 | GA | HCP, Enterprise | RDP credential injection |
| 0.21.0 | GA | All | Vault LDAP credential libraries |
| 0.21.0 | GA | All | SSH host key validation |
| 0.21.0 | GA | All | Inactive timeout for session connections |
| 0.21.2 | GA | All | Improved sort options for client cache sort |
| 0.21.3 | GA | Enterprise | IBM Passport Advantage Online (PAO) licensing |
| 0.21.3 | GA | HCP, Enterprise | Debug mode |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | 1.0.0 | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
Client Agent
Breaking changes
| Introduced | Recommendations | Change |
|---|---|---|
| 0.1.4 | Upgrade | Browser-based cross-site request forgery |
Known issues
| Introduced | Fixed | Workaround | Issue |
|---|---|---|---|
| 0.1.4 | 0.21.2 | No | Transparent sessions fail on Windows with RDP client and default port |
Boundary Desktop 2.6.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.6.0 | Upgrade CLI to v0.21.2 |
| 2.6.0 | Refactor terminal rendering to restrict access |
| 2.6.0 | Add sort by created time support to sessions |
| 2.6.0 | Add sort by name support to targets |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.6.0 | Fix flaky modal on user sign out or app quit |
Boundary Desktop 2.5.x
For more information, refer to the Boundary Desktop changelog.
Breaking changes
| Introduced | Recommendations | Change |
|---|---|---|
| 2.5.0 | Upgrade | Vulnerability could allow arbitrary code execution |
New behavior
| Introduced | Change |
|---|---|
| 2.5.0 | Upgrade CLI to v0.21.0 |
| 2.5.0 | Add RDP client launch support with improved connection flow |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.5.0 | Sanitizing of tokens when logging |
| 2.5.0 | Show username for OIDC auth method in user menu |
| 2.5.0 | Clear expired sessions from store to prevent stale session data |
Changes for 0.20.x
Boundary 0.20.0 GA date: September 25, 2025
- Boundary Desktop version: 2.4.x
For more information, refer to the Boundary 0.20.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.1.0 | Upgrade | Community, Enterprise | CVE-2026-7776 |
| 0.17.1 | Workaround | All | Docker image no longer contains curl |
| 0.18.0 | Workaround | All | Go TLS handshake behavior blocks connections |
| 0.19.0 | Upgrade | All | NTLM challenge can panic on malformed payload |
| 0.19.0 | Upgrade | All | SQL injection via placeholder confusion |
| 0.20.0 | Upgrade | All | CVE-2025-61730, CVE-2025-58181, CVE-2025-47914 |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.20.0 | GA | HCP, Enterprise | RDP targets |
| 0.20.0 | GA | All | Username password domain credentials |
| 0.20.0 | BETA | HCP, Enterprise | RDP credential injection |
| 0.20.1 | GA | All | IBM Key Protect KMS support |
| 0.20.3 | GA | All | Debug mode |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
Client Agent
Known issues
| Introduced | Fixed | Workaround | Issue |
|---|---|---|---|
| 0.1.4 | 0.20.1 | No | Boundary Client Agent does not maintain its operational state after a restart |
Boundary Desktop 2.4.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.4.0 | Upgrade CLI to v0.20.0 |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.4.0 | Fix bug that prevented setting cluster URL |
| 2.4.0 | Handle session cleanup gracefully |
Changes for 0.19.x
Boundary 0.19.0 GA date: February 10, 2025
- Boundary Desktop version: 2.3.x
For more information, refer to the Boundary 0.19.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.1.0 | Upgrade | Community, Enterprise | CVE-2026-7776 |
| 0.17.1 | Workaround | All | Docker image no longer contains curl |
| 0.18.0 | Workaround | All | Go TLS handshake behavior blocks connections |
| 0.19.0 | Upgrade | All | NTLM challenge can panic on malformed payload |
| 0.19.0 | Upgrade | All | SQL injection via placeholder confusion |
| 0.19.0 | Upgrade | All | CVE-2025-61730, CVE-2025-58181, CVE-2025-47914 |
| 0.19.0 | Upgrade | All | CVE-2025-22873 |
| 0.19.0 | Workaround | HCP | 500 error when attempting to list resolvable aliases |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.19.0 | GA | All | Dynamic host catalogs for GCP |
| 0.19.0 | GA | All | Worker filter generator |
| 0.19.0 | GA | All | Vault brokered credentials format change |
| 0.19.1 | GA | All | Azure Virtual Machine Scale Set support for dynamic host catalogs |
| 0.19.2 | GA | HCP, Enterprise | Transparent sessions |
| 0.19.5 | GA | All | Debug mode |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
| 0.15.0 | 0.19.2 | Yes | Community, Enterprise | Redundant grant scopes cause performance issues |
| 0.17.0 | 0.19.2 | No | All | Canceled SSH connections cause performance issues |
| 0.18.0 | 0.19.5 | No | Community, Enterprise | Boundary installer requires Windows shortcuts |
| 0.19.0 | 0.19.1 | No | All | Soft-deleted users are not properly authenticated |
| 0.19.0 | 0.19.2 | No | HCP, Enterprise | Unable to change key type for Vault SSH certificate credential library |
Client Agent
Known issues
| Introduced | Fixed | Workaround | Issue |
|---|---|---|---|
| 0.1.4 | 0.19.6 | No | Cannot reconnect after canceling SSH transparent session |
| 0.1.4 | 0.19.6 | No | Connectivity issues after switching network interfaces |
Boundary Desktop 2.3.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.3.0 | Upgrade CLI to v0.19.0 |
| 2.3.0 | Update display for brokered credentials from Vault |
| 2.3.0 | Update display for brokered static JSON credentials |
| 2.3.3 | Add search and pagination support for host resources |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.3.0 | Fix memory leak for OIDC authentication |
| 2.3.1 | Fix re-authentication issue |
| 2.3.2 | Fix target search field race condition |
| 2.3.2 | Remove "Check for Updates" menu item when Desktop is installed using the Boundary installer |
| 2.3.3 | Clear stale error messages during Vault authentication |
| 2.3.3 | Fix loading indicator visibility |
Changes for 0.18.x
Boundary 0.18.0 GA date: October 15, 2024
- Boundary Desktop version: 2.2.x
For more information, refer to the Boundary 0.18.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.8.0 | Upgrade | Community, Enterprise | HCSEC-2024-28 |
| 0.17.1 | Workaround | All | Docker image no longer contains curl |
| 0.18.0 | Workaround | All | Go TLS handshake behavior blocks connections |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.18.0 | BETA | HCP, Enterprise | Transparent sessions |
| 0.18.0 | GA | HCP, Enterprise | Backblaze support for storage buckets |
| 0.18.0 | GA | All | AssumeRole support for AWS dynamic host catalogs |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.1.0 | 0.18.1 | No | All | Users are incorrectly removed from managed groups |
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
| 0.13.0 | 0.18.2 | No | HCP, Enterprise | Session recordings fail with error |
Boundary Desktop 2.2.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.2.0 | Upgrade CLI to v0.18.0 |
| 2.2.0 | Add support for transparent session notifications |
| 2.2.0 | Add user settings page for configuration options |
| 2.2.0 | Change limit of shown results to 250 and add indicator for when cache is loading |
| 2.2.0 | Show username credentials before passwords |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.2.0 | Fix cache daemon termination when started before desktop client |
| 2.2.0 | Fix Intel Mac auto-update prompt |
| 2.2.0 | Fix retry for failed OIDC authentication |
Changes for 0.17.x
Boundary 0.17.0 GA date: July 31, 2024
- Boundary Desktop version: 2.1.x
For more information, refer to the Boundary 0.17.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.17.1 | Workaround | All | Docker image no longer contains curl |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.17.0 | GA | All | Centralized tag management for workers |
| 0.17.0 | GA | All | Multi-scope roles and inheritance |
| 0.17.0 | GA | HCP, Enterprise | Improved worker failure handling |
| 0.17.0 | GA | HCP, Enterprise | S3-compliant storage options for session recording |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
| 0.17.0 | 0.17.1 | No | All | Using an invalid alias results in a 401 |
| 0.17.0 | 0.17.1 | No | HCP, Enterprise | Session recording fails when you use Secure File Copy (SCP) |
Boundary Desktop 2.1.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.1.0 | Upgrade CLI to v0.17.0 |
| 2.1.0 | Add logging |
| 2.1.0 | Add support for auto-updating ARM64 Mac clients |
| 2.1.0 | Update client license to BSL |
Changes for 0.16.x
Boundary 0.16.0 GA date: April 30, 2024
- Boundary Desktop version: 2.0.3
For more information, refer to the Boundary 0.16.0 release notes.
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.16.0 | GA | All | Aliases |
| 0.16.0 | GA | HCP, Enterprise | MinIO support for session recording |
| 0.16.0 | GA | All | Admin UI enhanced search and filtering |
| 0.16.0 | GA | HCP, Enterprise | Local storage state health |
| 0.16.0 | GA | All | X-Correlation-ID header |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
| 0.16.0 | 0.16.1 | No | Community, Enterprise | Controller dead lock |
| 0.16.0 | 0.16.2 | No | HCP | Controller dead lock |
| 0.16.0 | 0.16.2 | No | All | TLS handshake error |
| 0.16.0 | 0.16.2 | No | All | OIDC error codes |
Boundary Desktop 2.0.3
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 2.0.3 | Upgrade CLI to v0.16.0 |
| 2.0.3 | Add support for aliases |
| 2.0.3 | Add support for Darwin ARM64 |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.0.3 | Fix client daemon search for Windows |
Changes for 0.15.x
Boundary 0.15.0 GA date: January 30, 2024
- Boundary Desktop version: 2.0.x
For more information, refer to the Boundary 0.15.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.15.0 | Workaround | All | Permission grant string change |
| 0.15.0 | Workaround | HCP, Enterprise | Storage bucket policy updates |
| 0.15.0 | Upgrade | All | Go CVE-2024-24783, Go CVE-2024-24784, Go CVE-2024-24785, Go CVE-2024-24786, Go CVE-2023-45289, Go CVE-2023-45290 |
| 0.15.0 | Upgrade | All | Go CVE-2023-45288 |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.15.0 | GA | HCP, Enterprise | Session recording storage policies |
| 0.15.0 | GA | All | Search and filter |
| 0.15.0 | GA | All | Client cache |
| 0.15.0 | GA | All | API list pagination |
| 0.15.0 | GA | All | Generic commands: delete, read, and update |
| 0.15.0 | GA | All | Multiple grant scopes in roles |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
| 0.13.0 | 0.15.3 | No | HCP, Enterprise | Cannot delete IAM access key resource |
| 0.15.0 | 0.15.1 | No | All | Maximum number of connections allowed is incorrect |
Boundary Desktop 2.0.x
For more information, refer to the Boundary Desktop changelog.
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 2.0.0 | 2.0.2 | No | macOS | Boundary Desktop does not update |
New behavior
| Introduced | Change |
|---|---|
| 2.0.0 | Upgrade CLI to v0.15.0 |
| 2.0.0 | Add search, filtering, and pagination support for sessions and targets |
| 2.0.0 | Add time-remaining to a session |
| 2.0.1 | Upgrade CLI to v0.15.1 |
| 2.0.1 | Display only scopes with auth-methods |
| 2.0.2 | Upgrade CLI to v0.15.3 |
Bug fixes
| Fixed | Issue |
|---|---|
| 2.0.0 | Fix copy command for embedded terminal in Windows |
| 2.0.1 | Fix refresh for Windows |
| 2.0.1 | Add error notification if adding token to daemon fails |
| 2.0.2 | Fix auto updater |
Changes for 0.14.x
Boundary 0.14.0 GA date: October 11, 2023
- Boundary Desktop version: 1.7.x
For more information, refer to the Boundary 0.14.0 release notes.
Breaking changes
| Introduced | Recommendations | Edition | Change |
|---|---|---|---|
| 0.14.0 | Upgrade | All | Go CVE-2023-39325, Go CVE-2023-39326 |
| 0.14.0 | Upgrade | All | Go CVE-2023-39322, Go CVE-2022-45285 |
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.14.0 | GA | All | LDAP auth method |
| 0.14.0 | GA | HCP, Enterprise | Dynamic credential support for storage buckets |
| 0.14.0 | GA | All | Remote pass-through commands for SSH |
| 0.14.0 | GA | All | Worker health metric |
| 0.14.0 | GA | All | Improved telemetry |
| 0.14.2 | GA | HCP, Enterprise | Valid principals for Vault SSH signed certificates |
| 0.14.3 | GA | All | OIDC prompts |
| 0.14.3 | GA | All | API rate limiting |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
Boundary Desktop 1.7.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 1.7.0 | Upgrade CLI to v0.14.0 |
| 1.7.0 | Update connection workflow |
| 1.7.0 | Add embedded terminal |
| 1.7.1 | Upgrade CLI to v0.14.2 |
| 1.7.1 | Add cancel permission checks for sessions |
| 1.7.1 | Allow auto connect to SSH targets on Windows |
Bug fixes
| Fixed | Issue |
|---|---|
| 1.7.1 | Fix brokered credentials text overflow |
| 1.7.1 | Fix session permission issue |
| 1.7.1 | Add read:self permissions for sessions |
| 1.7.1 | Fix host set permission issue |
Changes for 0.13.x
Boundary 0.13.0 GA date: June 13, 2023
- Boundary Desktop version: 1.6.x
For more information, refer to the Boundary 0.13.0 release notes.
New behavior
| Introduced | Status | Edition | Change |
|---|---|---|---|
| 0.13.0 | GA | Enterprise | Boundary Enterprise released |
| 0.13.0 | GA | HCP, Enterprise | SSH session recording |
| 0.13.0 | BETA | All | LDAP authentication method |
| 0.13.0 | GA | HCP | Maintenance window |
| 0.13.0 | GA | All | OIDC authentication improvements |
| 0.13.0 | GA | All | Shared KMS workers |
| 0.13.0 | GA | All | Default, static ports for targets |
| 0.13.0 | GA | All | Dynamic host catalog external name |
Known issues
| Introduced | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 0.13.0 | No | Yes | HCP, Enterprise | Rotation of AWS access/secret keys results in stale session recordings |
| 0.13.0 | No | No | HCP, Enterprise | Unsupported session recording recovery during worker failure |
Boundary Desktop 1.6.x
For more information, refer to the Boundary Desktop changelog.
New behavior
| Introduced | Change |
|---|---|
| 1.6.0 | Upgrade CLI to v0.13.0 |
| 1.6.0 | Display external names when listing dynamic hosts |
| 1.6.0 | Add support for LDAP authentication |
Bug fixes
| Fixed | Issue |
|---|---|
| 1.6.0 | Optimize API queries |