v1.22.0

1.22.0 Enterprise (October 24, 2025)

SECURITY:

• connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
• security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
• security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
• security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
• security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

• Added support to register a service in consul with multiple ports [GH-22769]
• agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
• install: Updated license information displayed during post-install
• ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
• oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

• security: Upgrade golang to 1.25.3. [GH-22926]
• ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
• ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
• ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
• api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
• cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
  http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
  agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
• cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
• command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
• connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
• proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
• ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
• ui: Replace yarn with pnpm for package management [GH-22790]
• ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

• ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
• ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
• ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
• cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.22.0-rc2

1.22.0-rc2 (October 15, 2025)

SECURITY:

• security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
• security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
• security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
• security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks. This resolves CVE-2025-11392. [GH-22850]

BUG FIXES:

• cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.22.0-rc1

1.22.0-rc1 (September 30, 2025)

SECURITY:

• connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]

FEATURES:

• Added support to register a service in consul with multiple ports [GH-22769]
• agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
• install: Updated license information displayed during post-install
• ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
• oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

• api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
• cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
  http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
  agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
• cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
• command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
• connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
• proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
• ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
• ui: Replace yarn with pnpm for package management [GH-22790]
• ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

• ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
• ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
• ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]

v1.21.5

1.21.5 (September 21, 2025)

SECURITY:

• Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
• agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
• agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
• agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
• api: add charset in all applicable content-types. [GH-22598]
• connect: Upgrade envoy version to 1.34.7 [GH-22735]
• security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
• security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
• security: perform constant time compare for sensitive values. [GH-22537]
• security: upgrade go version to 1.25.0 [GH-22652]
• security:: (Enterprise only) fix nil pointer dereference.
• security:: (Enterprise only) fix potential race condition in partition CRUD.
• security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

• config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
• config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

• cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

• agent: Don't show admin partition during errors [GH-11154]

v1.21.4

1.21.4 (August 13, 2025)

SECURITY:

• security: Update Go to 1.23.12 to address CVE-2025-47906 [GH-22547]

IMPROVEMENTS:

• ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

• cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]

v1.21.3

1.21.3 (July 18, 2025)

IMPROVEMENTS:

• ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]

BUG FIXES:

• cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses. [GH-22467]
• ui: display IPv6 addresses with proper bracketed formatting [GH-22423]

v1.21.2

1.21.2 (June 17, 2025)

SECURITY:

• security: Upgrade UBI base image version to address CVE
  CVE-2025-4802
  CVE-2024-40896
  CVE-2024-12243
  CVE-2025-24528
  CVE-2025-3277
  CVE-2024-12133
  CVE-2024-57970
  CVE-2025-31115 [GH-22409]
• cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
• connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
• security: Upgrade Go to 1.23.10. [GH-22412]

IMPROVEMENTS:

• config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]
• connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]

BUG FIXES:

• http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
• license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
• wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]

v1.21.1

1.21.1 (May 21, 2025)

FEATURES:

• xds: Extend LUA Script support for API Gateway [GH-22321]
• xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.

IMPROVEMENTS:

• http: Add peer query param on catalog service API [GH-22189]

1.21.0 (Enterprise)

1.21.0 Enterprise (May 06, 2025)

FEATURES:

• config: add UseSNI flag in remote JSONWebKeySet
  agent: send TLS SNI in remote JSONWebKeySet [GH-22177]
• v2: remove HCP Link integration [GH-21883]

IMPROVEMENTS:

• raft: add a configuration raft_prevote_disabled to allow disabling raft prevote [GH-21758]
• raft: update raft library to 1.7.0 which include pre-vote extension [GH-21758]
• SubMatView: Log level change from ERROR to INFO for subject materialized view as subscription creation is retryable on ACL change. [GH-22141]
• ui: Adds a copyable token accessor/secret on the settings page when signed in [GH-22105]
• xDS: Log level change from ERROR to INFO for xDS delta discovery request. Stream can be cancelled on server shutdown and other scenarios. It is retryable and error is a superfluous log. [GH-22141]

v1.20.7 (Enterprise)

1.20.7 Enterprise (May 21, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

FEATURES:

• xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.
• xds: Extend LUA Script support for API Gateway

IMPROVEMENTS:

• http: Add peer query param on catalog service API [GH-22189]