infisical

v0.160.8 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 5d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

acme certificate-management cli environment-variables go node-js

+9 more

pki postgresql private-ca secrets-management secret-manager secret-scanning security security-tools typescript

Affected surfaces

auth rbac crypto_tls

ReleasePort's take

Moderate signal

editorial:auto 5d

The release patches a critical ACME order finalization bypass vulnerability in the PKI module and corrects project environment cleanup cron errors.

Why it matters: Severity 90 security fix prevents unauthorized certificate issuance; bugfix resolves recurring cleanup job failures that cause resource leaks. Patch immediately if using ACME or running cleanup jobs.

Summary

AI summary

Broad release touches feat, chore, fix, and pki.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevents ACME order finalization bypass via duplicate identifiers. Prevents ACME order finalization bypass via duplicate identifiers. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature
Feature	Low	Adds comprehensive PostHog telemetry events for feature gap coverage. Adds comprehensive PostHog telemetry events for feature gap coverage. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds support for DigiCert revocation status checks. Adds support for DigiCert revocation status checks. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds soft delete functionality for environments. Adds soft delete functionality for environments. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds external email entries to secret‑sync audit logs. Adds external email entries to secret‑sync audit logs. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds blind index support for secret values. Adds blind index support for secret values. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds enforceIdentityLimit flag to enforce identity limits regardless of plan. Adds enforceIdentityLimit flag to enforce identity limits regardless of plan. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds project access‑request tracking and migrates the project select page to v3 components. Adds project access‑request tracking and migrates the project select page to v3 components. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Fixes project environment cleanup cron errors. Fixes project environment cleanup cron errors. Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Invalidates project CA queries after certificate authority cert installation. Invalidates project CA queries after certificate authority cert installation. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

What's Changed

feat(telemetry): add comprehensive PostHog telemetry events for feature gap coverage by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6539
feat: add support for DigiCert revocation status by @carlosmonastyrski in https://github.com/Infisical/infisical/pull/6587
fix(pki): prevent ACME order finalization bypass via duplicate identifiers by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6590
feat(pki): show disabled tabs and permission tooltips for non-member application viewers by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6615
chore: add upgrade impact for v0.160.7 by @github-actions[bot] in https://github.com/Infisical/infisical/pull/6614
feat(environments): add soft delete for environments by @adilsitos in https://github.com/Infisical/infisical/pull/6588
improvement(migrations): make migration history mismatch error actionable by @PrestigePvP in https://github.com/Infisical/infisical/pull/6623
fix(ci): assign upgrade-impact PR reviewer to current release author by @PrestigePvP in https://github.com/Infisical/infisical/pull/6627
feat(roles): redesign org roles page and better perm multiselect by @mathnogueira in https://github.com/Infisical/infisical/pull/6027
improvement(secret-share): add external emails on audit log by @adilsitos in https://github.com/Infisical/infisical/pull/6626
improvement(platfor-286): commit e2e package-lock for npm ci determinism by @PrestigePvP in https://github.com/Infisical/infisical/pull/6628
fix: project env cleanup cron errors by @varonix0 in https://github.com/Infisical/infisical/pull/6637
feat: display both org and project machine identities at org level by @Thiago-AS in https://github.com/Infisical/infisical/pull/6519
feat(kms): add ML-DSA post-quantum signing algorithms by @saifsmailbox98 in https://github.com/Infisical/infisical/pull/6609
fix: authorization check in certificate renewal path by @bernie-g in https://github.com/Infisical/infisical/pull/6625
chore: better vault connection error logs by @varonix0 in https://github.com/Infisical/infisical/pull/6655
feat: add enforceIdentityLimit flag to enforce identity limits regardless of plan by @PrestigePvP in https://github.com/Infisical/infisical/pull/6633
chore: increase max group names and slugs to 255 by @varonix0 in https://github.com/Infisical/infisical/pull/6656
docs(gateway): update systemd service naming docs by @bernie-g in https://github.com/Infisical/infisical/pull/6624
improvement(secret-sync): revam search project and group on gitlab by @adilsitos in https://github.com/Infisical/infisical/pull/6612
feat: update docs about the kubernetes operator by @mathnogueira in https://github.com/Infisical/infisical/pull/6603
fix: invalidate project CAs query after CA cert install by @bernie-g in https://github.com/Infisical/infisical/pull/6668
improvement: move secret validation rules to secrets management settings by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6636
fix: revert unintentional variant switch changes by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6630
feat: add project access request tracking and migrate project select page to v3 components by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6658
feat: added secret value blind index support by @akhilmhdh in https://github.com/Infisical/infisical/pull/6585
docs: remove outdated emergency kit section from email-password auth by @devin-ai-integration[bot] in https://github.com/Infisical/infisical/pull/6672
feat: switched to new go server by @akhilmhdh in https://github.com/Infisical/infisical/pull/6611
feat: add checks to ensure scope retains at least one admin on membership mutation by @scott-ray-wilson in https://github.com/Infisical/infisical/pull/6661
chore: revert audit log stream alerts by @Thiago-AS in https://github.com/Infisical/infisical/pull/6675

Full Changelog: https://github.com/Infisical/infisical/compare/v0.160.7...v0.160.8

Security Fixes

Prevent ACME order finalization bypass via duplicate identifiers in PKI
Fix authorization check in certificate renewal path

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track infisical

Get notified when new releases ship.

About infisical

Infisical is the open-source platform for secrets, certificates, and privileged access management.

All releases →