Vault
Vault release notes
- Version: 1.19.x
- GA date: 2025-03-05
Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.
We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.
Known issues and important changes
General updates
| Change | Found | Fixed | Recs | Edition | Issue |
|---|---|---|---|---|---|
| Support change | 1.19.0 | N/A | N/A | All | 1.16.x moves to long term support and 1.19 becomes the current LTS version |
Breaking changes
| Found | Recommendations | Edition | Issue |
|---|---|---|---|
| 1.19.0 | Yes | All | Security improvement for LDAP user DN search with upndomain |
New behavior
| Found | Recommendations | Edition | Issue |
|---|---|---|---|
| 1.19.0 | No | Enterprise | Anonymized cluster data returned with license utilization |
| 1.19.0 | Yes | All | Identity system duplicate cleanup |
| 1.19.0 | No | All | RADIUS authentication is no longer case sensitive |
| 1.19.0 | No | All | Transit support for Ed25519ph and Ed25519ctx signatures |
| 1.19.1 | Yes | All | Strict validation for Azure auth login requests |
Bugs
| Found | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 1.19.0 | 1.19.3 | Yes | All | Automated rotation stops after unseal |
| 1.19.0 | 1.19.4 | Yes | All | AWS STS configuration can fail with unspecified STS endpoints |
| 1.19.0 | 1.19.4 | Yes | Enterprise | External Enterprise plugins cannot run on a standby node when it becomes active |
| 1.19.0 | 1.19.1 | Upgrade | All | Vault log file missing subsystem logs |
| 1.19.1 | 1.19.4 | Yes | All | Azure authN fails to authenticate Uniform VMSS instances |
Known issues
| Found | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 1.19.0 | No | Yes | All | Duplicate unseal/seal wrap HSM keys |
| 1.19.0 | 1.19.3 | Yes | All | Login/token renewal failures after group changes |
| 1.19.0 | 1.19.3 | Upgrade | All | Unexpected DB static role rotations on upgrade |
| 1.19.0 | 1.19.3 | Upgrade | All | Unexpected LDAP static role rotations on upgrade |
| 1.19.0 | 1.19.3 | Yes | All | Unwanted secret rotation for DB and LDAP roles on restart |
Feature deprecations and EOL
| Deprecated in 1.19.x | Retired in 1.19.x |
|---|---|
| None | Active Directory plugin |
Please refer to the deprecation notices for up-to-date information on feature deprecations and plans.
Vault companion updates
Companion updates are Vault updates that live outside the main Vault binary.
None.
Community updates
Follow the learn more links for more information, or browse the list of Vault tutorials updated to highlight changes for the most recent GA release.
| Release | Update | Description |
|---|---|---|
| Faster availability after restart | GA | Identity loading on restart is up to 40% faster and Vault logs include new diagnostic information to troubleshoot cluster slowness with the `post_unseal_trace_directory` configuration setting. Learn more: `post_unseal_trace_directory` parameter details |
| Raft integrated storage | ENHANCED | Corrects a previous issue with Raft nodes generating stale data by preventing stale nodes from servicing requests to the cluster. |
Enterprise updates
| Release | Update | Description |
|---|---|---|
| Identity | ENHANCED | Opt-in resolution of accidental duplicates in the identity system with a gated feature to force deduplication. Learn more: Find and resolve duplicate Vault identities |
| Autopilot | ENHANCED | Improved upgrade stability with better cluster leadership reconciliation. Learn more: Autopilot overview |
| Database support | ENHANCED | Onboard static database accounts without immediate rotation, precise timing, or coordinating with maintenance windows. Learn more: Onboarding static DB users |
| Events | ENHANCED | Vault now sends event notifications to subscribers on all Vault nodes within a cluster. |
| ENHANCED | Notification subscriptions for secret deletion no longer requires a root token. | |
| Plugin support | ENHANCED | Run Vault Enterprise plugins external to Vault. Running plugins externally is useful in deployments when the plugin requires different environment variable values than the Vault binary. |
| Automated root credential rotation | GA | Use a rotation manager to regularly rotate credentials for AWS (secrets, authN), Azure (secrets, authN), GCP (secrets, authN), LDAP (secrets, authN), and DB plugins without manual intervention. |
| AWS plugin | ENHANCED | Vault now supports AWS static role credentials for multiple AWS accounts with a single mount path to better manage AWS credentials at scale. Learn more: STS AssumeRole |
| GUI support for WIF plugin configuration | GA | Use the Vault GUI to enable and configure WIF with AWS, Azure, and GCP |
| PKI: Constrained CA support | GA | Use the PKI plugin to instantiate intermediate CAs with customer defined constraints (permitted URI , IPs, excluded DNS, etc.) and delegate PKI administration. Learn more: PKI plugin API |