Vault - 1.13.0



  • auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
  • auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
    This will only be used internally for implementing user lockout. [GH-17104]
  • core: Bump Go version to 1.19.2.
  • plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
  • plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
  • plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
  • secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
  • ui: Upgrade Ember to version 4.4.0 [GH-17086]


  • core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]


  • Reduced binary size [GH-17678]
  • agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
  • api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
  • auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
    Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
  • cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
  • cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
  • core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
  • core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
  • core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
  • database/snowflake: Allow parallel requests to Snowflake [GH-17593]
  • plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
  • plugins: Allow selecting builtin plugins by their reported semantic version of the form vX.Y.Z+builtin or vX.Y.Z+builtin.vault. [GH-17289]
  • sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
  • secrets/aws: Update dependencies [PR-17747] [GH-17747]
  • secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
  • secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
  • secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
  • secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
  • secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
  • secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
  • secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
  • storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
  • sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.


  • cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
  • cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
  • core/managed-keys (enterprise): Return better error messages when encountering key creation failures
  • core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
  • core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
  • core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
  • core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
  • core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
  • core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
  • core: fix GPG encryption to support subkeys. [GH-16224]
  • core: fix a start up race condition where performance standbys could go into a
    mount loop if default policies are not yet synced from the active node. [GH-17801]
  • core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
  • core: prevent memory leak when using control group factors in a policy [GH-17532]
  • core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
  • login: Store token in tokenhelper for interactive login MFA [GH-17040]
  • openapi: fix script to correctly load vault plugins [GH-17752]
  • plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
  • plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
  • secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
  • secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
  • secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
  • secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
  • secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
  • ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
  • ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
  • ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
  • ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]


March 1, 2023, midnight
Register or login to:
  • 🔍View and search all Vault releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google