This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+10 more
Affected surfaces
Summary
AI summaryHardened JWT validation with exp, nbf checks and configurable clock‑skew plus fixed SDK/server signing parity.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Fixed JWT `exp` validation. Fixed JWT `exp` validation. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | High |
Added JWT `nbf` validation with configurable clock skew. Added JWT `nbf` validation with configurable clock skew. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Medium |
Added optional JWT issuer binding via `auth.jwt.issuer`. Added optional JWT issuer binding via `auth.jwt.issuer`. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Medium |
Hardened internal auth query canonicalization against duplicate decoded query keys. Hardened internal auth query canonicalization against duplicate decoded query keys. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Medium |
Rejected query signing transcript separators in query keys and values. Rejected query signing transcript separators in query keys and values. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Feature | Medium |
Added canonical FourEye signing JSON on Keeper and SDK sides. Added canonical FourEye signing JSON on Keeper and SDK sides. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Feature | Medium |
Sorted JSON object fields recursively for signing while preserving array order. Sorted JSON object fields recursively for signing while preserving array order. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Feature | Medium |
Aligned FourEye approval hashes for sign, generate, decrypt, and key destroy flows. Aligned FourEye approval hashes for sign, generate, decrypt, and key destroy flows. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Bugfix | Medium |
Fixed SSL trust context factory binding to internal clients. Fixed SSL trust context factory binding to internal clients. Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Bugfix | Medium |
Fixed SDK & server signing parity for nested policy and command objects. Fixed SDK & server signing parity for nested policy and command objects. Source: llm_adapter@2026-06-13 Confidence: high |
— |
Full changelog
This update includes import at security fixes.
- Added canonical FourEye signing JSON on Keeper and SDK sides.
- Sorted JSON object fields recursively for signing while preserving array order.
- Aligned FourEye approval hashes for sign, generate, decrypt, and key destroy flows.
- Fixed SDK & server signing parity for nested policy and command objects.
- Changed FourEye approver keys to ordered list semantics and kept duplicate-key rejection.
- Fixed JWT
expvalidation, addednbfvalidation with configurableclock-skewand added optional JWT issuer binding viaauth.jwt.issuer. - Hardened internal auth query canonicalization against duplicate decoded query keys.
- Rejected query signing transcript separators in query keys and values.
- Fixed SSL trust context factory binding to internal clients.
Security Fixes
- Fixed JWT `exp` validation, added `nbf` validation with configurable `clock-skew`, optional issuer binding via `auth.jwt.issuer`, hardened auth query canonicalization against duplicate decoded keys, rejected query signing transcript separators in keys/values, and fixed SSL trust context factory binding to internal clients.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About TKeeper
All releases →Related context
Beta — feedback welcome: [email protected]