teleport

v18.8.2 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 12d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit bastion certificate cluster database-access firewall

+13 more

firewalls go jumpserver kubernetes kubernetes-access pam postgresql rbac rdp security ssh teleport teleport-binaries

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 11d

Teleport v18.8.2 resolves several bugs and adds UI enhancements across tsh commands, JIT connectivity, LDAP registration conflicts, access monitoring graphs, SAML trait handling, and Okta assignment reliability.

Why it matters: Fixes certificate errors in `tsh aws/gcp/azure/app`, restores JIT resource access with older agents, prevents Windows desktop LDAP/dynamic registration removals, trims overflowed graph data, limits SAML traits to Okta/SCIM sources, and boosts Okta assignment processing stability.

Summary

AI summary

Broad release touches Description, https://github.com/gravitational/teleport/pull/66962, https://github.com/gravitational/teleport/pull/66933, and https://github.com/gravitational/teleport/pull/66781.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Restricts preserved user traits during SAML logon to those from Okta or SCIM integrations. Restricts preserved user traits during SAML logon to those from Okta or SCIM integrations. Source: llm_adapter@2026-05-22 Confidence: high	—
Feature
Feature	Medium	Adds remembering of recently used clusters after logout in Teleport Connect. Adds remembering of recently used clusters after logout in Teleport Connect. Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	Moves Windows desktop controls in Teleport Connect to status bar for more RDP screen space. Moves Windows desktop controls in Teleport Connect to status bar for more RDP screen space. Source: llm_adapter@2026-05-22 Confidence: low	—
Feature	Medium	Adds badge display next to SCIM‑synced access lists in the web UI. Adds badge display next to SCIM‑synced access lists in the web UI. Source: llm_adapter@2026-05-22 Confidence: low	—
Performance	Medium	Improves reliability of Okta assignments processing. Improves reliability of Okta assignments processing. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes `tsh aws`, `tsh gcp`, `tsh azure`, and `tsh proxy app` certificate errors. Fixes `tsh aws`, `tsh gcp`, `tsh azure`, and `tsh proxy app` certificate errors. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Fixes regression affecting JIT resource access connectivity with older agents. Fixes regression affecting JIT resource access connectivity with older agents. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Fixes conflict between Windows desktop LDAP discovery and dynamic registration causing removals. Fixes conflict between Windows desktop LDAP discovery and dynamic registration causing removals. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Fixes handling of access monitoring graph data when results exceed display maximum by hiding earlier entries. Fixes handling of access monitoring graph data when results exceed display maximum by hiding earlier entries. Source: llm_adapter@2026-05-22 Confidence: high	—

Full changelog

Description

Fixed tsh aws, tsh gcp, tsh azure, and tsh proxy app failing with certificate errors. #66962
Fixed a regression introduced in v18.7.6 affecting connectivity to resources via approved just-in-time resource access requests when the cluster is running agents older than v18.7.6. #66933
Teleport Connect now remembers recently used clusters after logout. #66781
Fixed an issue where Windows desktop LDAP discovery could conflict with dynamic registration causing desktops to be removed from the cluster. #66743
Windows desktop controls in Teleport Connect now reside in the status bar in order to allocate more screen real estate to the RDP session. #66726

Enterprise:

SCIM-synced access lists will now have a badge displayed next to them in the web UI.
Fixed access monitoring graph data handling in the Web UI when the amount of results exceeds the display maximum - now hides earlier instead of later data.
Restricted user traits preserved during a SAML logon to those created by the Okta or SCIM integrations.
Improved reliability of Okta assignments processing.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Slack Linux amd64 | Linux arm64
Mattermost Linux amd64 | Linux arm64
Discord Linux amd64 | Linux arm64
Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
Event Handler Linux amd64 | Linux arm64 | macOS amd64
PagerDuty Linux amd64 | Linux arm64
Jira Linux amd64 | Linux arm64
Email Linux amd64 | Linux arm64
Microsoft Teams Linux amd64 | Linux arm64

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track teleport

Get notified when new releases ship.

About teleport

The easiest, and most secure way to access and protect all of your infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v18.8.0 Roles with unknown fields rejected at create/edit instead of silently dropped.
v18.8.0 Teleport Connect automatic updates only; manual downgrades required.