Important changes

Last updated: 2026-04-10

Always review important or breaking changes and remediation recommendations before upgrading Vault.

Breaking changes

Precedence change for Azure authentication

Azure auth now gives values set in auth/azure/config precedence over AZURE_* environment variables.

Recommendation

Review any deployments where you rely on environment variables to confirm whether they currently override stored configuration and update the plugin configuration to your preferred behavior.

Previously unauthenticated endpoints require authentication

Enterprise

Vault now authenticates the following endpoint families to prevent attackers from sending key-update requests with bogus key fragments with the aim of preventing legitimate use of the endpoints:

• sys/rekey
• sys/generate-root
• sys/replication/dr/secondary/generate-operation-token

Previous versions only required authentication with a seal or recovery keys to be provided. Authenticating to the affected endpoints now requires seal/recovery key fragments and a valid Vault token.

Recommendation

Modify callers of these endpoints to provide a vault token if they weren't already, or populate enable_unauthenticated_access. Note that the reason for this change is to prevent an attacker from taking advantage of these endpoints being unauthenticated, by sending key-update requests with bogus key fragments which prevent legitimate use. Modify callers of these endpoints to always provide a valid Vault token.

If you must continue to use the endpoints unauthenticated, set the enable_unauthenticated_access, configuration parameter to provide backward compatability with existing clients.

New behavior

LDAP static role rotation migrates to a centralized automated rotation system

Enterprise

For existing LDAP static roles, Vault Enterprise migrates the assocaited credential rotation period from the LDAP plugin to the central rotation manager during plugin initialization. During migration, rotation timing may shift slightly. You can track migration status in the LDAP static role migration API.

After migration completes, Vault no longer retries static role credential rotation every 10 seconds indefinitely. Vault uses exponential backoff and stops retrying after it reaches the retry limit configured on the role.

Configuration for IBM Passport Advantage Online license keys

Enterprise

Vault Enterprise customers who use a license key issued by IBM Passport Advantage Online must add a license_entitlement configuration to their Vault nodes. Refer to IBM Passport Advantage Online license keys for more information.

DR secondaries now accept root tokens from the primary

Enterprise

Vault now allows authentication against secondary DR nodes with a root token generated on the primary. Previous versions of Vault only allowed requests against secondary nodes to authenticate using a batch token or DR operation token created by sys/replication/dr/secondary/generate-operation-token.

Known issues

Okta SCIM group membership removal does not revoke Vault group access

Enterprise

Vault Enterprise exposes SCIM as a beta feature in Vault 2.0.0. When you use Okta Group Push with Vault SCIM, removing a user from an Okta group does not remove that user from the corresponding Vault group. Okta sends a SCIM PATCH request for member removal that Vault 2.0.0 does not support. As a result, the user remains in the Vault group and retains any policies that the group grants.

Recommendation

As a workaround, unlink and relink the Okta push group to recreate the corresponding Vault group with the intended membership.

Root token KV access blocked by EGP policy

Enterprise

Issue

If you use a root token in the Vault GUI to access a child namespace protected by an Endpoint Governing Policy (EGP), Vault may deny the request unexpectedly.

The unexpected rejection affects GUI flows that call sys/internal/ui/mounts with a namespace header. In affected cases, the GUI shows a permission denied error even though root tokens typically bypass Sentinel policy checks. Equivalent CLI and API workflows are unaffected.

Workaround

Use the CLI or API for the affected workflow.

If you require GUI access for an expected workflow, update the EGP policy logic to explicitly allow requests to sys/internal/ui/mounts for the affected namespace.

Sidebar menu reloads on engine-scoped pages

Issue

On some engine-scoped GUI routes, the Vault sidebar can briefly render the wrong menu or reload during navigation before settling on the correct section.

The menu flicker is most noticeable on subpages like the Custom messages page under Operational tools, and secret-detail routes. The flicker occurs during page transitions and does not affect the underlying operation.

Recommendation

Continue with the affected workflow after the page finishes loading and the sidebar settles into the correct state.

Secrets Engines items-per-page change can hide results

Issue

Changing the number of items per page on the Secrets Engines page in the Vault GUI from anything other than the first page of results can leave the table empty even when the item count indicates available results.

For example, if a user starts on page 3 with 5 results per page, then increases the page size to 25. The list view still only shows the 5 original results. The empty display table is strictly a cosmetic issue and does not affect the underlying mounts.

Workaround

Return to page 1 before increasing Items per page.

If the table still appears empty after changing the page size, refresh the page and retry the action from the first results page.