teleport

v17.7.24 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit bastion certificate cluster database-access firewall

+13 more

firewalls go jumpserver kubernetes kubernetes-access pam postgresql rbac rdp security ssh teleport teleport-binaries

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 1d

Teleport v17.7.24 fixes installer script escaping, terminal logging, Azure join with extra certs, device‑trust failures, Amazon Keyspaces TLS errors, LDAP discovery conflicts, login error messaging, app‑access header caps, Go runtime bump, and macOS VNet reconnects.

Why it matters: Addresses critical bugs affecting deployments (installer scripts, Azure joins, database connectivity) and improves performance; all fixes have severity 40 in the release notes.

Summary

AI summary

Broad release touches Description, https://github.com/gravitational/teleport/pull/67192, https://github.com/gravitational/teleport/pull/67173, and https://github.com/gravitational/teleport/pull/67140.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Hardens event handler to recover from malformed session IDs or corrupted data directories. Hardens event handler to recover from malformed session IDs or corrupted data directories. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Medium	Enterprise licenses with device‑trust limits can now enroll unlimited devices. Enterprise licenses with device‑trust limits can now enroll unlimited devices. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Dependency	Low	Updates Go runtime to version 1.25.10. Updates Go runtime to version 1.25.10. Source: llm_adapter@2026-06-02 Confidence: high	—
Performance
Performance	Medium	Raises app‑access upstream response‑header cap from 5 minutes to 1 hour for long HTTP requests. Raises app‑access upstream response‑header cap from 5 minutes to 1 hour for long HTTP requests. Source: llm_adapter@2026-06-02 Confidence: high	—
Performance	Medium	Improves macOS VNet performance by eliminating unnecessary reconnects. Improves macOS VNet performance by eliminating unnecessary reconnects. Source: llm_adapter@2026-06-02 Confidence: high	—
Performance	Low	Improves Teleport Connect startup reliability on Windows. Improves Teleport Connect startup reliability on Windows. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes installer script special‑character escaping issues. Fixes installer script special‑character escaping issues. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Prevents last terminal input from being logged to renderer.log on session drop. Prevents last terminal input from being logged to renderer.log on session drop. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Allows Azure join method to work when trust chain includes extra intermediate certificates. Allows Azure join method to work when trust chain includes extra intermediate certificates. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Resolves device‑trust failures for remote users connecting to trusted clusters. Resolves device‑trust failures for remote users connecting to trusted clusters. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Corrects TLS certificate error blocking Amazon Keyspaces database connections via Teleport. Corrects TLS certificate error blocking Amazon Keyspaces database connections via Teleport. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Prevents Windows desktop LDAP discovery conflicts that remove hosts from the cluster. Prevents Windows desktop LDAP discovery conflicts that remove hosts from the cluster. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Improves login error message when /webapi/ping returns non‑200. Improves login error message when /webapi/ping returns non‑200. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Low	Reduces unnecessary S3 uploads for Athena audit log deployments publishing directly to SQS. Reduces unnecessary S3 uploads for Athena audit log deployments publishing directly to SQS. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fixes app access dropping URL fragments during auth redirect flow. Fixes app access dropping URL fragments during auth redirect flow. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Allows host sudoers entries to be written on newer Linux distributions using sudo‑rs (e.g., Ubuntu 25.10). Allows host sudoers entries to be written on newer Linux distributions using sudo‑rs (e.g., Ubuntu 25.10). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Prevents LDAP discovery failures when discovering large numbers of hosts. Prevents LDAP discovery failures when discovering large numbers of hosts. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fixes rare input swallowing bug when resuming moderated Node sessions. Fixes rare input swallowing bug when resuming moderated Node sessions. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Resolves possible unavailability of Proxy service instances caused by certain API errors. Resolves possible unavailability of Proxy service instances caused by certain API errors. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

Description

Fixed an issue where generated installer scripts could incorrectly escape special characters in some values. #67192
Fixed a bug in Teleport Connect where the last terminal input could be logged to renderer.log if the terminal closed on its own — for example, when a tsh ssh session is dropped by the remote side (idle timeout, network disconnection) after the user pasted content but before they pressed Enter. #67173
Fixes an issue preventing joins using the azure join method in regions where the trust chain has been updated with an additional intermediate. #67140
Fix device trust for remote users connecting to a trusted cluster. #67032
Fixed a TLS certificate error that prevented users from connecting to Amazon Keyspaces databases through Teleport. #66975
Fixed an issue where Windows desktop LDAP discovery could conflict with dynamic registration causing desktops to be removed from the cluster. #66802
Improved the error message on login in tsh and Teleport Connect when /webapi/ping returns a non-200 response. #66713
Raise the app access upstream response-header cap from 5 minutes to 1 hour so long-running HTTP requests complete. #66686
Updated Go to 1.25.10. #66570
Improved the performance of VNet on macOS by eliminating unnecessary reconnects. #66561
Reduced unnecessary S3 uploads for Athena audit log deployments that publish directly to SQS by applying the correct SQS message size limit when the client has sqs:GetQueueAttributes permission, instead of always using the 256 KB SNS limit. #66533
Improved Teleport Connect startup reliability on Windows. #66510
Hardened event handler so it recovers in case of malformed session ID or corrupted data directory. #66472
Fixed app access dropping URL fragments through the auth redirect flow. #66461
Fixed an issue preventing host sudoers entries from being written on newer Linux distributions (i.e. Ubuntu 25.10) using sudo-rs. #66434
Fixed an issue that could cause LDAP discovery to fail when a single desktop service discovers large numbers of hosts. #66400
Fixed a rare input swallowing bug when resuming a moderated Node session. #66369
Fixed possible unavailability of Proxy service instances as a result of some API errors. #66313

Enterprise:

Enterprise licenses with a devices limit for device trust can now enroll unlimited devices.
Fixed a bug that could cause panics in Teleport's SAML IdP during failure scenarios.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Slack Linux amd64 | Linux arm64
Mattermost Linux amd64 | Linux arm64
Discord Linux amd64 | Linux arm64
Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
Event Handler Linux amd64 | Linux arm64 | macOS amd64
PagerDuty Linux amd64 | Linux arm64
Jira Linux amd64 | Linux arm64
Email Linux amd64 | Linux arm64
Microsoft Teams Linux amd64 | Linux arm64

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track teleport

Get notified when new releases ship.

About teleport

The easiest, and most secure way to access and protect all of your infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v18.8.0 Roles with unknown fields rejected at create/edit instead of silently dropped.
v18.8.0 Teleport Connect automatic updates only; manual downgrades required.