v2.0.0-rc1

2.0.0-rc1 (April 29, 2026)

SECURITY:

• connect: Upgrade envoy version to 1.37.2 and newer versions [GH-23469]
• go: Upgrade go version to 1.26 [GH-23493]

FEATURES:

• (Enterprise Only) update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
• Global Rate Limiter: (Enterprise Only) a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. This allows operators to apply or adjust global rate limits at runtime without restarting Consul servers — a critical capability for emergency scenarios where the cluster is under excessive load.
• api-gateway: Added SDS certificate support for API Gateway listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides. Service overrides inherit the listener SDS cluster when omitted, and gateway validation/xDS generation now rejects conflicting override mappings to keep certificate selection deterministic. [GH-23354]
• api-gateway: add support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests. [GH-23396]
• api: Added new API "/v1/internal/rpc/methods" that lists all RPC method names. Requires an operator:read ACL token. This is useful when users want to configure rate limits that exclude specific RPC endpoints. [GH-23329]
• ca: (Enterprise Only) Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer"), enabling Consul to issue certificates through Cyberark WIM.
• server: (Enterprise Only) add stable cluster identity and leader-gated global registry sync for service summary publishing.
• telemetry: (Enterprise Only) Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.

IMPROVEMENTS:

• agent: (Enterprise Only) Add eventually-consistent background cache for Enterprise usage metrics, reducing GET /v1/operator/usage latency from O(PNK) to O(1) and lowering CPU/memory pressure during high-frequency scraping via a watch-driven maintainer goroutine.
• mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.
• terminating-gateway: Updated the cluster upstream tls to use sds instead of static certs, allowing for dynamic certificate updates without needing to restart the terminating gateway. [GH-23288]
• telemetry: Add certificate expiry monitoring with Prometheus metrics (labeled with datacenter/partition/namespace), structured logging with configurable severity thresholds, and enhanced Connect CA API to include NotAfter field for root and intermediate certificates. [GH-23147]

BUG FIXES:

• audit-logging: (Enterprise Only) Fixed JSON unmarshall error when array of obj is passed for auditReq body.
• cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
• xds: Fixed XDS package to generate correct endpoints and cluster configurations for API Gateways when peered, and updated the API Gateway update handler to propogate mesh gateway config to its upstreams. [GH-23454]

v1.22.7

1.22.7 (April 21, 2026)

SECURITY:

• security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
• security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
• test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
• ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912).

IMPROVEMENTS:

• acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
• discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
• ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

• api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

v1.22.6

1.22.6 (March 23, 2026)

SECURITY:

• security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
• security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
• security: upgrade go version to 1.25.8 [GH-23322]
• security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

• api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
• ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
• ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
• ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

v1.22.5

1.22.5 (February 26, 2026)

SECURITY:

• security: upgrade go version to 1.25.7 [GH-23204]
• dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
• connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
• security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
• security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
• security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

• api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
• agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
• cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
• docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
• api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

v1.22.4

⚠️ Important Notice

We have identified an issue in Consul and Consul Enterprise Feb Patch Release (1.22.4, 1.22.4-ent, 1.21.10-ent, 1.18.20-ent) that requires a corrective patch release.

We recommend that customers avoid using these versions in production environments and wait for the upcoming patch release.

Customers who have upgraded to these versions should temporarily revert to the previous stable release while we prepare a corrected update.

A new patched release is expected by the end of the this month.

Further updates will be shared once the new version is available. We apologize for the inconvenience and appreciate your patience.

1.22.4 (February 18, 2026)

SECURITY:

• security: upgrade go version to 1.25.7 [GH-23204]
• dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
• connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
• security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]

IMPROVEMENTS:

• api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
• agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
• cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
• api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

v1.22.3

1.22.3 (January 23, 2026)

SECURITY:

• Update the Consul Build Go base image to alpine3.23.2 [GH-23138]

IMPROVEMENTS:

• api: Add consul services imported-services and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [GH-12045]
• connect: added ability to configure Virtual IP range for t-proxy with CIDRs [GH-23085]

v1.22.2

1.22.2 (December 15, 2025)

SECURITY:

• security: Upgrade golang to 1.25.4. [GH-23029]
• security: upgrade internal packages of RHEL builds to include security fixes [GH-23078]

IMPROVEMENTS:

• ui: upgraded Ember framework from v3.28 to v4.12, improving performance and stability. Upgrades multiple other packages which support Ember v4. [GH-23070]

BUG FIXES:

• agent: fix bug prevents default TCP checks from being re-added on service reload when they were explicitly disabled or when custom checks were specified during initial registration. [GH-23088]
• audit-logging: (Enterprise only) Fixed JSON unmarshall error when array of obj is passed for auditReq body. [GH-11546]
• cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
• mesh: router + splitter + failover with retry now correctly failover for external services failover subsets through terminating gateways. [GH-23092]

v1.22.0 (Enterprise)

1.22.0+ent (October 24, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
• security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
• security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
• security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
• security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

• Added support to register a service in consul with multiple ports [GH-22769]
• agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
• install: Updated license information displayed during post-install
• ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
• oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

• security: Upgrade golang to 1.25.3. [GH-22926]
• ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
• ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
• ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
• api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
• cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
  http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
  agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
• cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
• command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
• connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
• proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
• ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
• ui: Replace yarn with pnpm for package management [GH-22790]
• ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

• ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
• ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
• ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
• cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.20.9 (Enterprise)

1.20.9 Enterprise (July 28, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• Update github.com/containerd/containerd to 1.7.3 [GH-10888]
• Bump Dockerfile base image to alpine:3.22. [GH-10872]
• build(deps): bump golang.org/x/sync from 0.12.0 to 0.15.0 [GH-10787]

v1.20.8 (Enterprise)

1.20.8 Enterprise (June 18, 2025)

This release is created to share the Consul Enterprise changelog and notify consumers of availability. The attached source and assets do not include Consul Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• security: Upgrade UBI base image version to address CVE
  CVE-2025-4802
  CVE-2024-40896
  CVE-2024-12243
  CVE-2025-24528
  CVE-2025-3277
  CVE-2024-12133
  CVE-2024-57970
  CVE-2025-31115 [GH-22409]
• cli: update tls ca and cert create to reduce excessive file perms for generated public files [GH-22286]
• connect: Added non default namespace and partition checks to ConnectCA CSR requests. [GH-22376]
• security: Upgrade Go to 1.23.10. [GH-22412]

IMPROVEMENTS:

• config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]

BUG FIXES:

• http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
• license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]