Skip to content

Release history

Consul releases

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.

Back to tool Latest release

All releases

6 shown

Upgrade now
v2.0.0 Mixed
Dependencies

Envoy upgrade + rate limiter + mesh multi‑port

Open
v1.22.7 Breaking risk
Security fixes
  • CVE-2026-33186 in google.golang.org/grpc
  • CVE-2026-24051 (Path Hijacking) in OpenTelemetry
  • CVE-2026-2808 remediation
Notable features
  • TokenNameFormat field for auth-method
  • Replaced hashstructure_v2 with custom implementations
Full changelog

1.22.7 (April 21, 2026)

SECURITY:

  • security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
  • security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
  • test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
  • ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]

IMPROVEMENTS:

  • acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
  • discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
  • ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

  • api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]
View release on GitHub
v1.22.6 Security relevant
Security fixes
  • CVE-2026-33186 (gRPC vulnerability)
  • Envoy security updates to 1.35.9 and 1.34.13
Notable features
  • API Gateway zero-weight service support
  • Consul UI non-secure environment fixes
View release on GitHub
v1.22.5 Security relevant
Security fixes
  • Vault CA provider arbitrary file read prevention
  • Federation state sync debounce timing fix
View release on GitHub
v1.22.4 Breaking risk
Breaking changes
  • AWS SDK v1 to v2 migration
  • HTTP server timeout defaults changed
Security fixes
  • Go version upgrade to 1.25.7
  • Slowloris denial-of-service prevention
Notable features
  • Slowloris DoS prevention via HTTP timeouts
  • AWS IAM endpoint flag support
View release on GitHub
v1.22.3 Security relevant
Security fixes
  • Alpine 3.23.2 base image update
Notable features
  • imported-services CLI command
  • Virtual IP CIDR range configuration
View release on GitHub

Beta — feedback welcome: [email protected]