HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault Home

Vault 2.x release notes

Preview dateGA date
2026-04-012026-04-14

Release notes provide an at-a-glance summary of key updates.

We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.

Review changes at a glance

Review historic breaking changes, new behavior, and known issues at a glance with the historic change tracker.

Summary

Vault 2.x.x focuses on reducing manual setup and operational friction for teams that manage identity, secrets, and encryption across large environments. The release helps operators connect Vault to existing identity systems, deliver workload identity in SPIFFE-based environments, and sync secrets to external platforms without depending on long-lived cloud credentials.

Vault 2.x.x also helps teams manage distributed infrastructure with less custom glue code and fewer one-off workflows. Operators can standardize credential rotation, support multi-region key management, automate Linux local account management, and use more guided UI workflows when they onboard teams, create policies, and discover Vault capabilities.

Vault 2.0.3

Released: 2026-06-17

New features
Enterprise

Bug fixes and security patches

  • Fix: Fixed stuck dropdowns in the Transit secrets engine Vault GUI.

Improvements and behavior changes

  • Cloud Foundry auth plugin:
    • Lazy CF client initialization: The CF auth plugin no longer calls the CF API during plugin initialization. Vault now creates the CF client lazily and only when a configuration write or login request requires it.
    • force_new_client flag: Added a new force_new_client configuration flag. When enabled, the plugin creates a new CF client for every login request instead of using the shared cached client.
  • Charts: Migrated charts from Lineal to Carbon Charts in the Client usage overview and Vault usage dashboards for a more polished and consistent visual experience.
  • Donut chart tooltips: Refined tooltip styling and functionality on donut charts for better clarity and consistency.
  • ember-basic-dropdown: Bumped to ~8.9.0 to satisfy a peer dependency requirement with @hashicorp/design-system-components.
  • Babel preset: Reinstalled @babel/preset-env at ~7.29.5 to stay current with the JavaScript build ecosystem.
  • Dependency overrides: Removed stale dependency overrides from ui/package.json to reduce unnecessary version constraints.

Vault 2.0.2

Released: 2026-06-04

Bug fixes and security patches

  • Fix: Local account update failure. Vault failed to complete account rotation with the error: Error writing data to <path>: context deadline exceeded.

  • Fix: Enterprise Azure Secrets Engine credential failure. Vault intermittently failed during credential creation with the error: Resource does not exisit.

  • Go update: Vulerability patch for golang.org/x/crypto.

  • Go update: Vulerability patch for golang.org/x/net.

Improvements and behavior changes

Vault 2.0.1

Released: 2026-05-19

Limited CE artifact availability

The Vault 2.0.1 Community edition does not have artifacts for the following architectures:

Operating systemarchitecture
macOSdarwin_amd64, darwin_arm64
FreeBSDfreebsd_386, freebsd_amd64
Linux 32-bitlinux_386
Windowswindows_386, windows_amd64.

Users running Vault on those platforms should wait for the 2.0.2 CE release, which will include all missing artifacts.

Bug fixes and security patches

  • Fix: MSSQL database secrets engine bug. Fixed lease revocation to work without sysadmin privileges by replacing the undocumented sp_msloginmappings procedure with a metadata query. The plugin now functions with VIEW ANY DEFINITION and VIEW SERVER STATE permissions instead of requiring full sysadmin access.

Improvements and behavior changes

  • License utilization dashboard: New UI dashboard for /sys/billing/overview data.

  • /sys/billing/overview: Now retains 37 months of usage data and adds start_month and end_month query parameters.

  • License utilization metrics: Added census and billing metrics.

    • GCP KMS operation counts for data protection API calls: gcp_kms_operation_count.current_month_estimate and gcp_kms_operation_count.previous_month_complete
    • OIDC token units for duration-adjusted OIDC token issuance: normalized_oidc_tokens_issued.current_month_estimate and normalized_oidc_tokens_issued.previous_month_complete
    • SPIFFE JWT token units for duration-adjusted SPIFFE JWT token issuance: normalized_spiffe_jwt_token_units.current_month_estimate and normalized_spiffe_jwt_token_units.previous_month_complete
    • High watermark tracking of local account static roles managed by OS secrets engine: os_local_static_max_role_count.current_month_estimate and os_local_static_max_role_count.previous_month_complete
    • PKI External CA certificate units for duration-adjusted PKI External CA certificate issuance: normalized_external_ca_cert_units.current_month_estimate and normalized_external_ca_cert_units.previous_month_complete

  • Product usage metrics:

    • Added a count of local account static roles managed by mounts of OS secrets engine across all namespaces (secret.engine.os.local.account.static.role.count).
    • Added a count of agent registrations across all namespaces (vault.agentregistry.agent.registrations.count).
    • Added a count of agent registrations with RAR toggled off across all namespaces (vault.agentregistry.agent.registrations.with_rar_off.count).
    • Added a count of agent registrations with RAR toggled on across all namespaces (vault.agentregistry.agent.registrations.with_rar_on.count).
    • Added a count of OAuth resource server configurations across all namespaces (vault.oauth.resource.server.config.count).
    • Added a count of OAuth resource server configurations with RAR toggled on across all namespaces (vault.oauth.resource.server.config.with_rar_on.count).
    • Added a count of OAuth resource server configurations with RAR toggled off across all namespaces (vault.oauth.resource.server.config.with_rar_off.count).

  • JWT/OIDC auth plugin - Added multi-JWKS key ID cache: JWT authentication with multiple JWKS URLs (jwks_pairs) now uses a key ID cache so Vault skips unnecessary JWKS endpoint refreshes during login. The plugin first checks all in-memory caches for the token's key ID before making any network calls. Remote JWKS endpoints are only re-fetched when no cache contains the key ID, such as after a key rotation.

  • Wildcards and globs no longer permitted in templated policy paths: Vault now returns a "permission denied" error if you include wildcards and globs in the rendered output for identity templates. Refer to the Important changes entry for more details.

Vault 2.0.0

Released: 2026-04-14

New features
Enterprise

  • SCIM identity provisioning - Automate identity lifecycle management by provisioning entities and groups in Vault from external identity platforms.
  • SPIFFE JWT-SVID support - Let authenticated workloads request JWT-SVIDs from Vault so they can participate in SPIFFE-based identity workflows.
  • Visual policy generator - Create policies faster and reduce manual policy authoring by generating ACL policy snippets from the Vault GUI.
  • Feature introduction pages - The Vault GUI now provides guided overviews for key Vault capabilities that help you understand core features without leaving the GUI.
  • Namespace onboarding workflow - Answer a few key questions in the Vault GUI to create new namespaces then continue in the GUI, CLI, or Terraform.
  • Secret Sync - Use workload identity federation (WIF) to sync secrets to external systems without storing static credentials.
  • Envelope encryption - Use Transit for in-place encryption workflows where Vault protects data encryption keys and your applications encrypt and decrypt local data.
  • Public CA integration - Use Vault to interface to public CAs in order to issue certificates.
  • AWS KMS multi-region keys - Create and replicate managed keys across AWS regions so you can support multi-region encryption and disaster recovery workflows.
  • Local accounts secrets engine - Use Vault to automatically rotate Linux local account credentials.
  • LDAP static role rotation enhancements - Manage LDAP static credentials with more flexibility by adding initial passwords, self-managed rotation, schedules, and retry controls.
  • Rotation policies - Standardize how Vault handles failed automated rotations by defining reusable retry behavior for supported roles.

Bug fixes and security patches

  • Fix: Credential rotation bug. Vault Agent backoff reduces aggressive retries during secret rotation so that agents create less unnecessary network traffic and server load.
  • Fix: Repaired the integrity of duplicate and/or dangling entity aliases.

Improvements and behavior changes

  • The Vault UI navigation now organizes features around common operator tasks so users can find related capabilities faster.
  • In-product feature descriptions explain what features do and when to use them so that users can evaluate capabilities in context.
  • Azure secrets engine adds role metadata support, separates static credential import, and lowers the minimum TTL for static roles to 30 days so operators can manage Azure roles with more consistency.
  • Event notifications support subscriptions from secondary clusters for events on the primary cluster so multi-cluster deployments can react with lower latency.
  • External plugin management is easier in the Vault GUI so operators can manage external versions of built-in plugins without relying only on the API or CLI.
  • IBM Passport Advantage Online license support lets Vault Enterprise use IBM Passport Advantage Online license keys so customers can reduce licensing fulfillment delays.
  • Support for an additional licensing framework aligns pricing with workload, automation, and machine identity growth so billing better reflects platform usage.
  • JWT auth updates improve JWT-based authentication workflows.
  • KMIP Bring Your Own CA: Use the import endpoint to manage multiple CAs for client verification and make it possible to import external CAs.
  • Azure OIDC Provider supports fetching groups from the Azure Graph API.
  • Rotation retries use exponential backoff and orphan handling so Vault can retry failed root and static credential rotations without overloading the system. Vault 2.0.0 supports LDAP static roles in addition to the engines that already support root rotation.
  • TCP listener: Added the max_token_header_size option to limit the size of authentication token header values passed with X-Vault-Token or Authorization: Bearer.

Feature deprecations and EOL

VersionDeprecatedRetired
NoneNoneNone

Please refer to the deprecation notices for up-to-date information on feature deprecations and plans.

Edit this page on GitHub