vault

Update docker.io/hashicorp/vault Docker tag to v2.0.1

Michi Kofler-Häusler

Michi Kofler-Häusler

4 min read
Share
Update docker.io/hashicorp/vault Docker tag to v2.0.1
Photo by Stefan Steinbauer / Unsplash

No problems upgrading the Hashicorp Vault Docker container with a Docker compose yaml file within Portainer and by means of Portainer DevOps resp. GitOps with dependency update facilitated by Mend's Renovate Bot.

This MR contains the following updates:

Package Update Change
docker.io/hashicorp/vault patch 2.0.02.0.1

Release Notes

hashicorp/vault (docker.io/hashicorp/vault)

v2.0.1

Compare Source

May 19, 2026

BREAKING CHANGES:

  • containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add IPC_LOCK capabilities when running the vault container.

SECURITY:

  • api: Update golang.org/x/net to resolve GO-2026-4918"
  • core/identity: reject wildcards in rendered identity templates
  • core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
  • core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
  • core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
  • core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
  • core: Update golang.org/x/net to resolve GO-2026-4918"
  • core: Validate both path and file_path cannot be empty for requests to sys/audit/{path}
  • sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
  • sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
  • sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
  • sdk: Update golang.org/x/net to resolve GO-2026-4918"

CHANGES:

  • auth/jwt: Update plugin to v0.26.3
  • core: Bump Go version to 1.26.3
  • identity: Require sudo capability to invoke the identity entity merge API endpoint (identity/entity/merge).
  • secrets/azure: Update plugin to v0.26.2+ent
  • secrets/openldap: Update plugin to v0.18.1+ent

FEATURES:

  • Billing metrics dashboard: Create a new billing dashboard with responsive layout to display metric data.
  • Secrets Sync UI: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations

IMPROVEMENTS:

  • api: Add start_month and end_month parameters to /sys/billing/overview endpoint to allow querying billing data for specific time ranges.
  • api: Add migration_done_at_epoch to sys/seal-status response.
  • consumption-billing: Add billing tracking for OS Local Account static roles to support consumption-based billing metrics and high-water mark (HWM) tracking.
  • consumption-billing: Added consumption billing metrics for OIDC tokens.
  • consumption-billing: Added consumption billing metrics for PKI External CA certificates.
  • consumption-billing: Added consumption billing metrics for SPIFFE JWT tokens.
  • consumption-billing: Enabled sys/billing/overview endpoint in admin namespace.
  • consumption-billing: Float64 values returned by sys/billing/overview are now rounded to 4 decimal places.
  • consumption-billing: Increased billing data retention from 2 months to 37 months. The /sys/internal/billing/overview API endpoint now returns 37 months of historical consumption billing data by default.
  • consumption-billing: The /sys/internal/billing/overview API endpoint now always returns all metric types in the response, even when their values are zero. This ensures consistent response structure for easier client-side parsing.
  • core (Enterprise): Sanitized config now shows kms_library config.
  • core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
  • scim: The SCIM Group PATCH handler now supports the path field in the form members[value eq "id"] on remove operations.
  • sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
  • sdk: add WIF and rotation helpers for checking if params were updated to allow
    the consumer to know when changes need to be persisted to storage
  • secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
  • secrets/transit: Change to using Trail of Bits libraries for PQC signature implementation in Transit
  • ui/dashboard: Reorganized dashboard widgets to improve layout and usability. Updated widgets to use HDS table components for better consistency. Enhanced the Quick Actions card with frequently used links alongside existing actions.
  • ui: Set pagination size to 10 for custom messages list view and toggle the "Apply filters" button visibility based on filter selection.
  • ui: Update copy on merge entities page to specify entity ID is the required data input when merging entities.
  • ui: add validations to the ACL visual policy editor to prevent it from saving policies with empty paths or capabilities.

BUG FIXES:

  • auth/aws: fix bug where rotation and wif config updates were not persisted to storage
  • client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
  • core: Fix failure to detect errors during storage writes of totp keys.
  • database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented sp_msloginmappings procedure with a granular metadata query. This allows the plugin to function with VIEW ANY DEFINITION instead of full sysadmin privileges.
  • database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
  • database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
  • database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
  • events (enterprise): Fix panic when replicating lease events.
  • go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
  • identity: fixed a rare but possible data race issue with identities.
  • sdk: Small bugfixes relating to docker test container cleanup and image building.
  • secrets-sync (enterprise): Fix destination PATCH handling for WIF identity_token_ttl normalization and GCP service_account_email decoding.
  • secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
  • secrets/ldap: enable proper license checking on 'openldap' plugin alias. This enables enterprise features when configuring mounts with the 'openldap' alias.
  • secrets/pki (enterprise): Fix SCEP nonce logging in audit data.
  • secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless remove_roots_from_chain is true.
  • secrets/pki: Remove invalid value from the supported list of ACME algorithms.
  • ui: Add name field validation to LDAP create and edit roles forms.
  • ui: Fix LDAP hierarchical role navigation in UI
  • ui: Fix entities page to show success message after successfully editing an entity.
  • ui: Fix secrets to secrets-engines redirect for bookmarked URLs.
  • ui: Fixed custom messages list to display the expiration time on Inactive message badges.
  • ui: Fixed sidebar navigation animation issues
  • ui: Restore re-sizable columns for secrets and namespaces tables.
  • ui: Update DR operation token generation to accept a primary root token for authentication.
  • ui: Update KV max_version validation to disallow negative values.

Read more

Me on Mastodon - This link is here for verification purposes.