teleport

v18.8.1 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 19d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit bastion certificate cluster database-access firewall

+13 more

firewalls go jumpserver kubernetes kubernetes-access pam postgresql rbac rdp security ssh teleport teleport-binaries

Summary

AI summary

Fixed host sudoers entry creation on newer Linux distributions such as Ubuntu 25.10 using sudo‑rs.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Kubernetes join method supports allow rules targeting specific service account names and namespaces with wildcards. Kubernetes join method supports allow rules targeting specific service account names and namespaces with wildcards. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	MFA prompt includes leaf cluster name if resource belongs to one. MFA prompt includes leaf cluster name if resource belongs to one. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Session summary timeline now shows detected MITRE attack IDs and suspicious flags for commands. Session summary timeline now shows detected MITRE attack IDs and suspicious flags for commands. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance
Performance	Medium	Improved performance of certain predicate expressions for SSH server selection. Improved performance of certain predicate expressions for SSH server selection. Source: llm_adapter@2026-05-21 Confidence: high	—
Performance	Medium	Improved error message on login in tsh and Teleport Connect for non-200 /webapi/ping responses. Improved error message on login in tsh and Teleport Connect for non-200 /webapi/ping responses. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Raised app access upstream response-header cap from 5 minutes to 1 hour for long-running HTTP requests. Raised app access upstream response-header cap from 5 minutes to 1 hour for long-running HTTP requests. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Fixes issue preventing Azure join method joins in updated trust chain regions. Fixes issue preventing Azure join method joins in updated trust chain regions. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixed issue preventing host sudoers entries from being written on newer Linux distributions using sudo-rs. Fixed issue preventing host sudoers entries from being written on newer Linux distributions using sudo-rs. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixed sessions failing to be summarized when using non-alternate buffer TUI applications. Fixed sessions failing to be summarized when using non-alternate buffer TUI applications. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Teleport Connect's VNet now starts on Linux with older tsh present at /usr/local/bin/tsh. Teleport Connect's VNet now starts on Linux with older tsh present at /usr/local/bin/tsh. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Browsers see simple HTML page instead of plain text when accessing Device Trust web app from untrusted device. Browsers see simple HTML page instead of plain text when accessing Device Trust web app from untrusted device. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Web UI no longer shows audit review prompts or 0001-01-01 dates for static Access Lists. Web UI no longer shows audit review prompts or 0001-01-01 dates for static Access Lists. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixed failure to write host sudoers entries on newer Linux distributions (e.g., Ubuntu 25.10) when using `sudo-rs`. Fixed failure to write host sudoers entries on newer Linux distributions (e.g., Ubuntu 25.10) when using `sudo-rs`. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Session summarization now works correctly with non‑alternate buffer TUI applications. Session summarization now works correctly with non‑alternate buffer TUI applications. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Refactor	Medium	Internal performance optimizations to the SCIM PATCH flow for parallel requests targeting same SCIM groups. Internal performance optimizations to the SCIM PATCH flow for parallel requests targeting same SCIM groups. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Description

Improved the performance of certain predicate expressions used to select SSH servers. #66769
Fixes an issue preventing joins using the azure join method in regions where the trust chain has been updated with an additional intermediate. #66764
Fix Teleport Connect's VNet failing to start on Linux when an older tsh is present at /usr/local/bin/tsh. #66757
The MFA prompt now includes the name of a leaf cluster if the resource belongs to one. #66741
When attempting to access a web app protected by Device Trust from an untrusted device, browsers now see a simple HTML page instead of a plain text response. #66717
Improved the error message on login in tsh and Teleport Connect when /webapi/ping returns a non-200 response. #66712
The kubernetes join method now supports allow rules targeting specific service account names and namespaces and supports wildcards when the new fields are used. #66700
Raise the app access upstream response-header cap from 5 minutes to 1 hour so long-running HTTP requests complete. #66687
Fixed an issue preventing host sudoers entries from being written on newer Linux distributions (i.e. Ubuntu 25.10) using sudo-rs. #66433

Enterprise:

Internal performance optimizations to the SCIM PATCH flow when multiple parallel PATCH requests target the same SCIM groups.
Fixed an issue with sessions failing to be summarized when using non-alternate buffer TUI applications.
Commands in the session summary timeline now show detected MITRE attack IDs and suspicious flags.
Fixed Web UI to no longer show audit review prompts or 0001-01-01 dates for static Access Lists.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Slack Linux amd64 | Linux arm64
Mattermost Linux amd64 | Linux arm64
Discord Linux amd64 | Linux arm64
Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
Event Handler Linux amd64 | Linux arm64 | macOS amd64
PagerDuty Linux amd64 | Linux arm64
Jira Linux amd64 | Linux arm64
Email Linux amd64 | Linux arm64
Microsoft Teams Linux amd64 | Linux arm64

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track teleport

Get notified when new releases ship.

About teleport

The easiest, and most secure way to access and protect all of your infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v18.8.0 Roles with unknown fields rejected at create/edit instead of silently dropped.
v18.8.0 Teleport Connect automatic updates only; manual downgrades required.