Vault - 1.12.3

February 6, 2023


  • core: Bump Go version to 1.19.4.


  • audit: Include stack trace when audit logging recovers from a panic. [GH-18121]
  • command/server: Environment variable keys are now logged at startup. [GH-18125]
  • core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
  • core: Add read support to sys/loggers and sys/loggers/:name endpoints [GH-17979]
  • plugins: Let Vault unseal and mount deprecated builtin plugins in a
    deactivated state if this is not the first unseal after an upgrade. [GH-17879]
  • secrets/db/mysql: Add tls_server_name and tls_skip_verify parameters [GH-18799]
  • secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
  • storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
  • ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [GH-18787]
  • ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [GH-18342]
  • ui: Update language on database role to "Connection name" [GH-18261] [GH-18350]


  • auth/approle: Fix token_bound_cidrs validation when using /32 blocks for role and secret ID [GH-18145]
  • auth/cert: Address a race condition accessing the loaded crls without a lock [GH-18945]
  • auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#173] [GH-18716]
  • cli/kv: skip formatting of nil secrets for patch and put with field parameter set [GH-18163]
  • command/namespace: Fix vault cli namespace patch examples in help text. [GH-18143]
  • core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
  • core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
  • core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
  • core/quotas: Fix issue with improper application of default rate limit quota exempt paths [GH-18273]
  • core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
  • core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
  • core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [GH-18923]
  • database/mongodb: Fix writeConcern set to be applied to any query made on the database [GH-18546]
  • expiration: Prevent panics on perf standbys when an irrevocable release gets deleted. [GH-18401]
  • kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
  • kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
  • kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
  • licensing (enterprise): update autoloaded license cache after reload
  • plugins: Allow running external plugins which override deprecated builtins. [GH-17879]
  • plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [GH-18173]
  • plugins: Skip loading but still mount data associated with missing plugins on unseal. [GH-18189]
  • sdk: Don't panic if system view or storage methods called during plugin setup. [GH-18210]
  • secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [GH-18184]
  • secrets/pki: Allow patching issuer to set an empty issuer name. [GH-18466]
  • secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [GH-18938]
  • secrets/pki: fix race between tidy's cert counting and tidy status reporting. [GH-18899]
  • secrets/transit: Do not warn about unrecognized parameter 'batch_input' [GH-18299]
  • secrets/transit: Honor partial_success_response_code on decryption failures. [GH-18310]
  • storage/raft (enterprise): An already joined node can rejoin by wiping storage
    and re-issueing a join request, but in doing so could transiently become a
    non-voter. In some scenarios this resulted in loss of quorum. [GH-18263]
  • storage/raft: Don't panic on unknown raft ops [GH-17732]
  • ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [GH-18651]
  • ui: fixes query parameters not passed in api explorer test requests [GH-18743]


Feb. 6, 2023, midnight
Register or login to:
  • 🔍View and search all Vault releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google