This release includes 1 breaking change for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+9 more
Affected surfaces
ReleasePort's take
Moderate signalThe shared GitHub App host must now be set via the INF_APP_CONNECTION_GITHUB_APP_HOST environment variable.
Why it matters: This breaking change requires updating configuration for all deployments using a shared GitHub App; failure to set the new variable will prevent the app from connecting.
Summary
AI summaryBroad release touches Impact, feat, fix, and improvement. Breaking: INF_APP_CONNECTION_GITHUB_APP_HOST environment variable now mandates a single host for the shared GitHub App; client‑provided
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Breaking | High |
Shared GitHub App host now bound to INF_APP_CONNECTION_GITHUB_APP_HOST environment variable. Shared GitHub App host now bound to INF_APP_CONNECTION_GITHUB_APP_HOST environment variable. Source: llm_adapter@2026-06-11 Confidence: low |
— |
| Feature | Medium |
Allow multiple GitHub Apps per organization. Allow multiple GitHub Apps per organization. Source: llm_adapter@2026-06-11 Confidence: high |
— |
| Feature | Medium |
Add Infisical OAuth 2.0 support. Add Infisical OAuth 2.0 support. Source: llm_adapter@2026-06-11 Confidence: high |
— |
| Feature | Medium |
Detect duplicate secret values in Secrets Insight. Detect duplicate secret values in Secrets Insight. Source: llm_adapter@2026-06-11 Confidence: high |
— |
| Feature | Low |
Enable dynamic secrets and rotations support via validation rules. Enable dynamic secrets and rotations support via validation rules. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
| Feature | Low |
Implement convex secret rotation functionality. Implement convex secret rotation functionality. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
| Feature | Low |
Migrate general, product, and security settings tabs to v3 UI and update org settings title based on tab. Migrate general, product, and security settings tabs to v3 UI and update org settings title based on tab. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
| Feature | Low |
Hide all‑projects view from users lacking request‑access permission. Hide all‑projects view from users lacking request‑access permission. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
| Bugfix | Medium |
Fix telemetry to attach orgId as flat property on aggregated events. Fix telemetry to attach orgId as flat property on aggregated events. Source: llm_adapter@2026-06-11 Confidence: high |
— |
| Bugfix | Medium |
Use gateway when interacting with private GitHub Enterprise Server. Use gateway when interacting with private GitHub Enterprise Server. Source: llm_adapter@2026-06-11 Confidence: high |
— |
| Bugfix | Medium |
Enforce admin/member-only roles for cert-manager and default to member role. Enforce admin/member-only roles for cert-manager and default to member role. Source: granite4.1:30b@2026-06-11-audit Confidence: high |
— |
| Bugfix | Medium |
Fix application list to show no more than 20 entries. Fix application list to show no more than 20 entries. Source: llm_adapter@2026-06-11 Confidence: low |
— |
| Bugfix | Low |
Clean up app permissions when entities are removed. Clean up app permissions when entities are removed. Source: granite4.1:30b@2026-06-11-audit Confidence: high |
— |
| Bugfix | Low |
Group PKI Sync telemetry aggregation by destination for cleaner PostHog breakdowns. Group PKI Sync telemetry aggregation by destination for cleaner PostHog breakdowns. Source: granite4.1:30b@2026-06-11-audit Confidence: high |
— |
| Bugfix | Low |
Limit application list to a maximum of 20 entries. Limit application list to a maximum of 20 entries. Source: granite4.1:30b@2026-06-11-audit Confidence: high |
— |
| Refactor | Low |
Migrate toast component to v3, improve behavior, add stories and UI updates. Migrate toast component to v3, improve behavior, add stories and UI updates. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
| Refactor | Low |
Migrate create service token modal to v3 components and sheet UI. Migrate create service token modal to v3 components and sheet UI. Source: granite4.1:30b@2026-06-11-audit Confidence: low |
— |
Full changelog
⚠️ Breaking Change: Shared GitHub App Host Configuration
Affected Deployments
This change affects self-hosted deployments where the shared GitHub App (INF_APP_CONNECTION_GITHUB_APP_*) is registered on a GitHub Enterprise Server (GHES) instance rather than github.com.
The shared GitHub App is now bound to a single, server-configured host through the INF_APP_CONNECTION_GITHUB_APP_HOST environment variable.
Previously, the host could be supplied by the client during the OAuth or installation exchange. The backend now ignores any client-provided host for the shared GitHub App and always uses INF_APP_CONNECTION_GITHUB_APP_HOST, defaulting to github.com when the variable is not set.
This change improves security by preventing clients from redirecting the OAuth exchange to an arbitrary GitHub host and potentially exposing the shared app's client secret.
Impact
GitHub.com Deployments
No action is required. If INF_APP_CONNECTION_GITHUB_APP_HOST is not set, the application defaults to github.com and behavior remains unchanged.
GitHub Enterprise Server (GHES) Deployments
If your shared GitHub App is registered on a GHES instance, you must configure INF_APP_CONNECTION_GITHUB_APP_HOST with your GHES hostname.
If this variable is not configured, the shared GitHub App will resolve to github.com, causing GitHub App connection flows against your GHES instance to fail.
Required Action
Add the following environment variable to your backend configuration:
INF_APP_CONNECTION_GITHUB_APP_HOST=github.example.com
Replace github.example.com with the hostname of the GitHub instance where your shared GitHub App is registered.
Leave this variable unset if your shared GitHub App is registered on github.com.
What's Changed
- chore: revert add kmip client registration with CSR" by @sheensantoscapadngan in https://github.com/Infisical/infisical/pull/6778
- feat: allow multiple git hub apps per organization by @Thiago-AS in https://github.com/Infisical/infisical/pull/6490
- feat(validation-rules): dynamic secrets and rotations support by @varonix0 in https://github.com/Infisical/infisical/pull/6773
- fix(cert-manager): default to member role and enforce admin/member-only by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6761
- fix: clean up app permissions when entities are removed by @carlosmonastyrski in https://github.com/Infisical/infisical/pull/6744
- fix(telemetry): group PKI Sync aggregation by destination for clean PostHog breakdowns by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6786
- docs(ansible): add warning for token visibility in login task by @victorvhs017 in https://github.com/Infisical/infisical/pull/6789
- fix(e2e): seed standing admin in gamma e2e org by @PrestigePvP in https://github.com/Infisical/infisical/pull/6785
- improvement(router): change route creation to avoid memory stack exceeded error by @adilsitos in https://github.com/Infisical/infisical/pull/6784
- fix: pki application members have to be product users to be added to an app by @carlosmonastyrski in https://github.com/Infisical/infisical/pull/6750
- feat: convex secret rotation by @mathnogueira in https://github.com/Infisical/infisical/pull/6730
- feat: migrate general, product and security settings tabs to v3 and update org settings title based on tab by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6753
- improvement: migrate toast to v3, improve behavior, add stories and u… by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6760
- feat: add Infisical OAuth 2.0 support by @Thiago-AS in https://github.com/Infisical/infisical/pull/6772
- feat: improvements in checks by @akhilmhdh in https://github.com/Infisical/infisical/pull/6798
- ci: disable preview environment workflow by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6799
- feat: added go shadowing by @akhilmhdh in https://github.com/Infisical/infisical/pull/6751
- fix(telemetry): attach orgId as flat property on aggregated events by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6800
- docs(eng-5200): document domain in .infisical.json and INFISICAL_DOMAIN by @PrestigePvP in https://github.com/Infisical/infisical/pull/6797
- improvement: improve toast validation/forbid modal handling and update forbid modal UI by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6801
- feat(kmip): remove machine identities from KMIP server registration by @bernie-g in https://github.com/Infisical/infisical/pull/6740
- feat(frontend): hide all-projects view from users without request-access permission by @PrestigePvP in https://github.com/Infisical/infisical/pull/6774
- feat(secrets-insight): detect duplicate secret values by @mathnogueira in https://github.com/Infisical/infisical/pull/6747
- fix: use gateway in case of private GHE server by @Thiago-AS in https://github.com/Infisical/infisical/pull/6803
- improvement: migrate create service token modal to v3 components and sheet by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6804
- fix: application list shows not more than 20 entries by @carlosmonastyrski in https://github.com/Infisical/infisical/pull/6792
Full Changelog: https://github.com/Infisical/infisical/compare/v0.160.12...v1.0.0
Breaking Changes
- INF_APP_CONNECTION_GITHUB_APP_HOST environment variable now mandates a single host for the shared GitHub App; client‑provided hosts are ignored, defaulting to github.com when unset.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About infisical
Infisical is the open-source platform for secrets, certificates, and privileged access management.
Related context
Related tools
Beta — feedback welcome: [email protected]