Skip to content

infisical

v0.159.29 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 19d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

acme certificate-management cli environment-variables go node-js
+9 more
pki postgresql private-ca secrets-management secret-manager secret-scanning security security-tools typescript

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal
editorial:auto 9d

The release removes reviewer read permission on closed approval requests.

Why it matters: Affects access control for reviewers; operators must verify compliance with internal policy after upgrade to v0.159.29.

Summary

AI summary

Removed reviewer read permission on closed approval requests.

Changes in this release

Security Medium

Privilege boundary check added to org membership updates (SEC-4)

Privilege boundary check added to org membership updates (SEC-4)

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Oracle DB access support added for pam

Oracle DB access support added for pam

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Audit log for group operations added

Audit log for group operations added

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Memory DB (valkey) support added for dynamic secrets

Memory DB (valkey) support added for dynamic secrets

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Rotation for Datadog service account added in secret-rotation

Rotation for Datadog service account added in secret-rotation

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Gateway pool support across remaining platform areas added

Gateway pool support across remaining platform areas added

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Verification button added for secret rotation

Verification button added for secret rotation

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Distributed cron job system with Redis-backed scheduling added to backend

Distributed cron job system with Redis-backed scheduling added to backend

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Enrollment flow support added to Helm chart and Kubernetes docs (gateway)

Enrollment flow support added to Helm chart and Kubernetes docs (gateway)

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Browser RDP session replay player added for pam-rdp

Browser RDP session replay player added for pam-rdp

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Audit log created for honey token triggers

Audit log created for honey token triggers

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Secret insights page added to documentation

Secret insights page added to documentation

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Lock added and SCIM endpoint made idempotent

Lock added and SCIM endpoint made idempotent

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Updated conditional checks implemented

Updated conditional checks implemented

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Missing snapshot index and chunk deletion added in cleanup

Missing snapshot index and chunk deletion added in cleanup

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

TLS hostname probe run for all SSL Oracle connections in pam-oracle

TLS hostname probe run for all SSL Oracle connections in pam-oracle

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

HoneyTokenTriggered event made anonymous for self-hosted privacy

HoneyTokenTriggered event made anonymous for self-hosted privacy

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

OIDC upgrade modal updated to reference enterprise plan, not pro

OIDC upgrade modal updated to reference enterprise plan, not pro

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Service token privilege escalation prevented via action and scope checks (API)

Service token privilege escalation prevented via action and scope checks (API)

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Dropdown v2 z index bumped

Dropdown v2 z index bumped

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Whether vault migration config uses a gateway passed correctly

Whether vault migration config uses a gateway passed correctly

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Secret key URL-encoded in API request paths (frontend)

Secret key URL-encoded in API request paths (frontend)

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Default ports defined for https when not specified (vault)

Default ports defined for https when not specified (vault)

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

BullBoard section added to developing docs for queue management

BullBoard section added to developing docs for queue management

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Clarified FIPS encryption key requirements in encryptionkey docs

Clarified FIPS encryption key requirements in encryptionkey docs

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Verbose announcement logs added

Verbose announcement logs added

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

GitHub workflow dependencies pinned

GitHub workflow dependencies pinned

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Testing skill added for secrets management UI

Testing skill added for secrets management UI

Source: llm_adapter@2026-05-21

Confidence: low
Other Medium

Buildkit used for standalone contentful generation

Buildkit used for standalone contentful generation

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

What's Changed

  • chore: add upgrade impact for v0.159.28 by @maidul98 in https://github.com/Infisical/infisical/pull/6396
  • feat(pam): add Oracle DB access support by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6134
  • feat: updated some conditional checks by @akhilmhdh in https://github.com/Infisical/infisical/pull/6401
  • feat: more updates by @akhilmhdh in https://github.com/Infisical/infisical/pull/6402
  • docs(bullmq): add BullBoard section to developing documentation for queue management by @victorvhs017 in https://github.com/Infisical/infisical/pull/6389
  • docs(encryptionkey): clarify FIPS encryption key requirements by @jakehulberg in https://github.com/Infisical/infisical/pull/6346
  • improvement: add verbose announcement logs by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6393
  • docs: add secret insights page by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6392
  • feat: added audit log to group operation by @akhilmhdh in https://github.com/Infisical/infisical/pull/6386
  • fix(pam-oracle): run TLS hostname probe for all SSL Oracle connections by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6398
  • chore(release): v0.159.24 update description by @victorvhs017 in https://github.com/Infisical/infisical/pull/6415
  • fix: mark password recovery token as consumed by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6412
  • improvement: always show environment selection when creating secrets by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6395
  • chore(api): add migration to clean empty strings on k8 auth ca certs by @Thiago-AS in https://github.com/Infisical/infisical/pull/6413
  • docs(honey): add walkthrough video to honey tokens overview by @jakehulberg in https://github.com/Infisical/infisical/pull/6427
  • fix: make saml issuer required on saml form by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6434
  • chore: pin github workflow dependencies by @varonix0 in https://github.com/Infisical/infisical/pull/6435
  • fix: scope identity access token revocation (PLATFOR-358/359) by @PrestigePvP in https://github.com/Infisical/infisical/pull/6417
  • chore(api): create short lived token in key value store for email sign up by @Thiago-AS in https://github.com/Infisical/infisical/pull/6419
  • improvement: add tooltip to overview environment cols/items and give each more default width by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6418
  • fix: make scoped identity access token revocation lookup sargable + partial index by @PrestigePvP in https://github.com/Infisical/infisical/pull/6440
  • improvement: bump project max length and add missing validation / update existing validation by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6438
  • feat: removed reviewer read permission for approval once approval request has closed by @akhilmhdh in https://github.com/Infisical/infisical/pull/6436
  • feat(telemetry): suppress PostHog person creation for anonymous public secret shares by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6391
  • fix(certificate-manager): save organizational unit and other subject fields in PKI certificates by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6433
  • chore(api): memoize userDAL.findById on requests and where no mutation occurs by @Thiago-AS in https://github.com/Infisical/infisical/pull/6453
  • feat(dynamic-secrets): added memory db (valkey) support by @varonix0 in https://github.com/Infisical/infisical/pull/6405
  • feat(secret-rotation): add rotation for datadog service account by @adilsitos in https://github.com/Infisical/infisical/pull/6416
  • fix: update oidc upgrade modal to reference enterprise plan, not pro by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6456
  • fix(sec-4): add privilege boundary check to org membership updates by @PrestigePvP in https://github.com/Infisical/infisical/pull/6437
  • fix: make HoneyTokenTriggered event anonymous for self-hosted privacy by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6459
  • feat: add gateway pool support across remaining platform areas by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6285
  • feat(secret-rotation): add verification button by @adilsitos in https://github.com/Infisical/infisical/pull/6372
  • feat(backend): add distributed cron job system with Redis-backed scheduling by @victorvhs017 in https://github.com/Infisical/infisical/pull/6442
  • fix: bump dropdown v2 z index by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6464
  • feat(gateway): add enrollment flow support to Helm chart and re-add Kubernetes docs by @bernie-g in https://github.com/Infisical/infisical/pull/6422
  • feat(pam-rdp): browser RDP session replay player by @bernie-g in https://github.com/Infisical/infisical/pull/6351
  • fix: pass whether the vault migration config is using a gateway or not by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6465
  • feat: create audit log for honey token triggers by @mathnogueira in https://github.com/Infisical/infisical/pull/6457
  • fix: add missing snapshot index and chunk deletion in cleanup by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6468
  • chore: add testing skill for secrets management UI by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6476
  • fix(frontend): url-encode secret key in API request paths by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6475
  • fix(api): prevent service token privilege escalation via action and scope checks by @victorvhs017 in https://github.com/Infisical/infisical/pull/6443
  • fix(vault): define default ports for https when not defined by @adilsitos in https://github.com/Infisical/infisical/pull/6477
  • improvement: use buildkit for standalone contenful generation by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6478
  • feat: added lock and made scim endpoint idempotent by @akhilmhdh in https://github.com/Infisical/infisical/pull/6471
  • docs: update RBAC documentation with accurate built-in roles and new screenshots by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6383

New Contributors

  • @Thiago-AS made their first contribution in https://github.com/Infisical/infisical/pull/6413

Full Changelog: https://github.com/Infisical/infisical/compare/v0.159.28...v0.159.29

Breaking Changes

  • Removed reviewer read permission for approval requests once the request has been closed.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track infisical

Get notified when new releases ship.

Sign up free

About infisical

Infisical is the open-source platform for secrets, certificates, and privileged access management.

All releases →

Related context

Beta — feedback welcome: [email protected]