Vault change tracker

Summary tables of important changes that may affect your ability to upgrade Vault.

Changes for 1.19.x

General updates

Update	Introduced	Recommendations	Edition	Change
Support change	1.19.0	Upgrade	Enterprise	1.16.x moves to long term support and 1.19 becomes the current LTS version

Breaking changes

Introduced	Recommendations	Edition	Change
1.19.0	Yes	All	Security improvement for LDAP user DN search with upndomain
1.19.6	Yes	All	Rekey cancellations use a nonce
1.19.7	Yes	All	CVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

Introduced	Recommendations	Edition	Change
1.19.0	No	Enterprise	Anonymized cluster data returned with license utilization
1.19.0	Yes	All	Identity system duplicate cleanup
1.19.0	No	All	RADIUS authentication is no longer case sensitive
1.19.0	No	All	Transit support for Ed25519ph and Ed25519ctx signatures
1.19.1	Yes	All	Strict validation for Azure auth login requests
1.19.9	No	All	JSON Payload Limits
1.19.11	Yes	Enterprise	Rotation manager schedule strings in UTC

Known issues

Found	Fixed	Workaround	Edition	Issue
1.19.0	No	Yes	Enterprise	Duplicate unseal/seal wrap HSM keys
1.19.6	1.19.9	No.	All.	AWS auto join fails on startup
1.19.0	1.19.3	Yes	All	Login/token renewal failures after group changes
1.19.0	1.19.3	Upgrade	All	Unexpected DB static role rotations on upgrade
1.19.0	1.19.3	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.19.0	1.19.3	Yes	All	Unwanted secret rotation for DB and LDAP roles on restart
1.19.0	1.19.3	Yes	All	Automated rotation stops after unseal
1.19.0	1.19.4	Yes	All	AWS STS configuration can fail with unspecified STS endpoints
1.19.0	1.19.4	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.19.0	1.19.1	Upgrade	All	Vault log file missing subsystem logs
1.19.1	1.19.4	Yes	All	Azure authN fails to authenticate Uniform VMSS instances
1.18.4	No	Yes	All	Failing credential refresh for Snowflake DB secrets engine key pair authentication
1.19.0	No	No	All	Writing configuration to local auth mount (ldap, aws, gcp, azure) ignores local flag
1.19.0	No	Yes	Enterprise	Missed events with multiple event clients
1.19.0	No	No	Enterprise	Full seal rewraps occur on DR/PR failover with multi-seal enabled

Changes for 1.18.x

General updates

Update	Introduced	Recommendations	Edition	Change
Beta removed	1.18.0	No	All	Request limiter removed

Breaking changes

Introduced	Recommendations	Edition	Change
1.18.11	Yes	All	Rekey cancellations use a nonce
1.18.12	Yes	All	CVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

Introduced	Recommendations	Edition	Change
1.18.0	No	All	Activity log changes
1.18.0	Yes	All	Docker image no longer contains curl
1.18.2	Yes	All	Anonymous product usage metrics collection
1.18.7	No	All	Strict validation for Azure auth login requests
1.18.14	No	All	JSON Payload Limits

Known issues

Found	Fixed	Workaround	Edition	Issue
1.18.0	No	Yes	Enterprise	Duplicate unseal/seal wrap HSM keys
1.18.0	1.18.9	Yes	All	Unwanted secret rotation for DB and LDAP roles on restart
1.18.0	1.18.7	Upgrade	All	Vault log file missing subsystem logs
1.18.0	1.18.5	Yes	Enterprise	Secrets sync SSRF protection may block private endpoints
1.18.5	No	No	All	Authorization failure with Azure federated identity credentials
1.18.5	1.18.9	Upgrade	All	Unexpected DB static role rotations on upgrade
1.18.5	1.18.9	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.18.6	1.18.10	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.18.7	1.18.10	Yes	All	Azure authN fails to authenticate Uniform VMSS instances
1.18.0	No	No	Enterprise	Full seal rewraps occur on DR/PR failover with multi-seal enabled

Changes for 1.17.x

General updates

Update	Introduced	Recommendations	Edition	Change
Beta deprecated	1.17.0	No	All	Request limiter deprecated
Opt out feature	1.17.0	Yes	All	PKI sign-intermediate now truncates `notAfter` field to signing issuer

Breaking changes

Introduced	Recommendations	Edition	Change
1.17.18	Yes	All	Rekey cancellations use a nonce

New behavior

Introduced	Recommendations	Edition	Change
1.17.0	No	All	Allowed audit headers now have unremovable defaults
1.17.0	Yes	All	JWT auth login requires `bound_audiences` parameter on role
1.17.14	No	All	Strict validation for Azure auth login requests
1.17.3	Yes	All	Secrets Sync SSRF Protection May Block Private Endpoints
1.17.9	No	All	Default report months deprecated for `sys/internal/counters`
1.17.9	Yes	All	Vault product usage metrics reporting

Known issues

Found	Fixed	Workaround	Edition	Issue
1.17.0	1.17.4	Yes	All	AWS Auth Role configuration requires an external_id
1.17.0	1.17.6	Yes	All	Cached activation flags for secrets sync on follower nodes are not updated
1.17.0	1.17.5	Upgrade	All	Client tokens and token accessors audited in plaintext
1.17.0	1.17.3	Upgrade	All	Deleting an entity-aliases does not remove it from the in-memory database on standby nodes
1.17.0	No	Yes	Enterprise	Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.17.0	No	Yes	Enterprise	Duplicate unseal/seal wrap HSM keys
1.17.0	1.17.2	Upgrade	Enterprise	Input data on Transit Generate CMAC Response
1.17.0	No	Yes	Enterprise	Manual entity merges sent to a PR secondary cluster are not persisted to storage
1.17.0	No	Yes	All	PKI OCSP GET requests can return HTTP redirect responses
1.17.0	No	Upgrade	All	Unwanted secret rotation for DB and LDAP roles on restart
1.17.0	1.17.1	Upgrade	All	Vault Agent and Vault Proxy consume an excessive amount of CPU
1.17.0	1.17.3	Upgrade	Enterprise	Vault standby nodes not deleting removed entity-aliases from in-memory database
1.17.0	1.17.17	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.17.0	1.17.14	Upgrade	All	Vault log file missing subsystem logs
1.17.1	1.17.2	Yes	All	Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.17.3	1.17.12	Yes	Enterprise	Secrets sync SSRF protection may block private endpoints
1.17.12	No	No	All	Authorization failure with Azure federated identity credentials
1.17.12	1.17.16	Upgrade	All	Unexpected DB static role rotations on upgrade
1.17.12	1.17.16	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.17.14	1.17.17	Yes	All	Azure authN fails to authenticate Uniform VMSS instances

Changes for 1.16.x

Breaking changes

Introduced	Recommendations	Edition	Change
1.16.0	Yes	All	Docker image no longer contains curl
1.16.21	Yes	All	Rekey cancellations use a nonce
1.16.23	Yes	All	CVE-2025-6000: File audit devices cannot use executable file permissions

New behavior

Introduced	Recommendations	Edition	Change
1.16.0	No	Enterprise	Activity log changes
1.16.0	No	All	Auto-rolled billing start date
1.16.0	Yes	All	Default lease count quota enabled when upgrading from Vault versions before 1.9
1.16.0	Yes	All	External plugin variables take precedence over system variables
1.16.0	Yes	All	LDAP auth login changes
1.16.0	Yes	All	Product usage reporting
1.16.0	Yes	All	Secrets Sync cannot be activated from chroot namespace
1.16.0	No	Enterprise	Secrets Sync now requires setting a one-time flag before use
1.16.18	No	All	Strict validation for Azure auth login requests
1.16.25	No	All	JSON Payload Limits

Known issues

Found	Fixed	Workaround	Edition	Issue
1.16.0	1.16.18	Upgrade	All	Vault log file missing subsystem logs
1.16.0	1.16.3	Yes	All	Azure secrets engine role creation failing
1.16.0	1.16.3	Yes	All	Cached activation flags for secrets sync on follower nodes are not updated
1.16.0	No	Yes	Enterprise	Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster
1.16.0	No	Yes	Enterprise	Duplicate unseal/seal wrap HSM keys
1.16.0	1.16.1	Upgrade	All	Error logging in with LDAP auth method
1.16.0	1.16.1	Upgrade	All	Error logging in with LDAP auth method when anonymous group search is enabled
1.16.0	No	Yes	All	Existing clusters do not show the current Vault version in UI by default
1.16.0	No	Yes	Enterprise	Manual entity merges sent to a PR secondary cluster are not persisted to storage
1.16.0	1.16.4	Yes	All	New nodes added by autopilot upgrades provisioned with the wrong version
1.16.0	1.16.3	Yes	Enterprise	Performance Standbys revert to Standby mode on unseal
1.16.0	No	Yes	All	PKI OCSP GET requests can return HTTP redirect responses
1.16.0	1.16.6	Yes	Enterprise	Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener
1.16.0	No	Yes	All	Sending SIGHUP to vault standby node causes panic
1.16.0	No	Upgrade	All	Unwanted secret rotation for DB and LDAP roles on restart
1.16.1	1.16.2	Yes	All	Error configuring the JWT auth method
1.16.3	1.16.6	Yes	All	JWT auth login requires bound audiences on the role
1.16.3	1.16.7	Upgrade	Enterprise	Vault standby nodes not deleting removed entity-aliases from in-memory database
1.16.7	1.16.9	Upgrade	All	Client tokens and token accessors audited in plaintext
1.16.7	1.16.16	Yes	Enterprise	Secrets sync SSRF protection may block private endpoints
1.16.16	No	No	All	Authorization failure with Azure federated identity credentials
1.16.16	1.16.20	Upgrade	All	Unexpected DB static role rotations on upgrade
1.16.16	1.16.20	Upgrade	All	Unexpected LDAP static role rotations on upgrade
1.16.17	1.16.21	Yes	Enterprise	External Enterprise plugins cannot run on a standby node when it becomes active
1.16.18	1.16.21	Upgrade	All	Azure authN fails to authenticate Uniform VMSS instances
1.16.0	No	No	Enterprise	Full seal rewraps occur on DR/PR failover with multi-seal enabled