Vault 1.16.0-rc3 released!

Hi all,

The Vault team is announcing the third release candidate for 1.16. Release candidates must not be used in production, but your feedback is critical for a smooth final release.

The Community Edition binary can be downloaded at [1]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in these releases are:

  • Default Lease Count Quota (Enterprise) applies a new global default lease count quota of 300k leases for all new installs of Vault (upgraded clusters not included).
  • Request limiter option to enable adaptive concurrency limits (Enterprise Beta) for resource-constrained HTTP request paths, preventing excessive load on the Vault server
  • Seal HA (Enterprise) ensures high availability of Vault, by allowing admin users to configure more than one seal for auto-unseal and seal wrapping in the event that the current seal provider is non-operational.
  • PKI Enrollment over Secure Transport (EST) (Enterprise Beta) with native support for EST protocol, customers can easily automate certificate enrollment of EST compatible devices at scale. Note: This feature is in Beta and not intended for production use.
  • Vault Secrets Sync (Enterprise Beta) syncs secrets from the source in Vault to native secrets managers in AWS, Azure, GCP, GitHub, and Vercel
  • Increased batch size for WAL writes (Enterprise) improves write throughput for customers using Integrated Storage
  • Manual snapshot reporting (Enterprise) allows users to create manual exports of product-license metering data to report to HashiCorp.
  • Containerized Vault Plugins (on Linux only) enables plugins to run in protected runtime environments such as gVisor
  • Plugin environment variables now override environment variables for the Vault server, allowing per-plugin settings for HTTP_PROXY, among others
  • Plugin Workload Identity (Enterprise) allows Vault to generate identity tokens for plugins to use in workload identity federation authentication flows. This allows the AWS secret engine to be configured without needing sensitive security credentials.
  • Event Notifications (Enterprise) alert subscribers of supported Vault events, enabling immediate follow-up actions
  • Customizable UI Banners (Enterprise) deliver time-sensitive messages from Vault administrators to users logging in to the Vault UI
  • Vault Proxy Static Secret Caching (Enterprise) now supports caching static (KVv1 and KVv2) secrets - multiple requests to Vault Proxy by the same user for the same secret will only require a single request to the Vault server
  • Vault Audit Log Filtering (Enterprise) allows users to configure filters that determine which audit entries are sent to which audit devices
  • Controlled Access to Unauthenticated Endpoints gives admins more control over how unauthenticated endpoints in Vault can be accessed and in some cases what information they return
  • Experimental raft-wal option for backing log store removes risk of infinite snapshot loops for follower nodes in large-scale Integrated Storage deployments

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.


See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.16.0-rc3!

Sincerely, The Vault Team

[1] Vault v1.16.0-rc3 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[4] Upgrading Vault - Guides | Vault | HashiCorp Developer
[5] Release Notes | Vault | HashiCorp Developer
[6] Docker
[7] Docker
[8] Feature Deprecation Notice | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss