OpenBAO v2.3.1

SECURITY

• core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
• sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]

CHANGES

• packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179]
• storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
• packaging: Support for Illumos removed due to broken builds [GH-1503]

FEATURES

• KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
• Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
• Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
  • Create, read, update, delete a hierarchical directory of namespaces
  • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
  • Migrate (remount) secrets engines and auth methods between namespaces
  • Lock and unlock namespaces
  • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
  • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
• Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
• Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
• auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869]
• ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

• When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
• approle: Use transactions for read + write operations [GH-992]
• auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
• core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
• core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
• core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
• core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
• core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
• database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
• database: Use transactions for read-then-write methods in the database package [GH-995]
• pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
• ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
• storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

DEPRECATIONS

• Configuration of PKCS#11 auto-unseal using the duplicate and undocumented module, token and key options is now deprecated. Use the documented alternative options lib, token_label and key_label instead, respectively. (More details) [GH-1385]

BUG FIXES

• api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
• core/identity: load namespace entities, groups into MemDB preventing them from disappearing on restart. [GH-1432]
• oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
• pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
• sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (openbao/go-kms-wrapping#32).
  This is unlikely to have caused many real-world issues so far. [GH-1349]
• secrets/kv: Fix panic on detailed metadata list when results include a directory. [GH-1388]
• storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
• storage/postgresql: skip table creation automatically on PostgreSQL replicas [GH-1478]
• vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
• vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]

What's Changed over Beta

• Deprecation notice for undocumented duplicate PKCS#11 seal options (#1385 by @satoqz) backported by @cipherboy in #1481
• CEL for Certificate Issuance Policy (#794 by @fatima2003) backported by @cipherboy in #1482
• Fix detailed metadata on list results (#1388 by @cipherboy) backported by @cipherboy in #1483
• Fix flaky PostgreSQL backend connection test (#1368 by @satoqz) backported by @cipherboy in #1485
• HSM: Add arm64 builds & Alpine containers (#1427 by @satoqz) backported by @cipherboy in #1486
• Fix changelog entries (#1440 by @cipherboy) backported by @cipherboy in #1487
• Point goreleaser and container image contacts to new OpenSSF domain (#1415 by @karras) backported by @cipherboy in #1489
• Backport go-viper/mapstructure/v2 move (#1459 by @mikelolasagasti and @KrzysztofKornalewski-Reply and #1480 by @cipherboy) backported by @cipherboy in #1488
• Go dependency bumps to fix vulnerabilities in dependencies (#1435 by @satoqz, #1434 by @wslabosz-reply, #1457 by @cipherboy) backported by @cipherboy in #1492
• Fix identity store resolution (#1432 by @cipherboy) by @cipherboy in #1491
• Namespaces UI support (#1406 by @driif) by @cipherboy in #1484
• Fix PostgreSQL table creation on replica (#1478 by @cipherboy) by @satoqz in #1494
• Add changelog entry for sdk/framework vulnerability by @cipherboy in #1497
• Allow disabling unauthenticated rekey by @cipherboy in #1498
• Minor improvements to CEL for PKI (#1390 by @cipherboy) by @cipherboy in #1499
• Bump API to v2.3.1 in core, sdk by @cipherboy in #1500
• Bump sdk to v2.3.1, add changelog to v2.3.0 by @cipherboy in #1501
• Bump to v2.3.1 - Drop Illumos support per policy in #711 by @cipherboy in #1503

Release notes: https://openbao.org/docs/release-notes/2-3-0/#v231
Full Changelog: v2.2.0...v2.3.1