Skip to content

Releases: gravitational/teleport

Teleport 18.6.6

03 Feb 06:30
@camscale camscale
v18.6.6
6750243
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.6

Description

  • Fixed tsh/Linux sending a too-large username for device trust. #63387
  • Fixed an issue where MCP JSON-RPC messages with mixed-case field names could be parsed inconsistently and re-serialized to lower cases. Teleport now enforces canonical lowercase JSON-RPC fields. #63364
  • Improved robustness of the Slack hosted plugin to reduce the likeliness of failed token refresh when experiencing external disruption. #63344
  • Fixed a bug affecting access list review queries for lists where the name is a prefix of another list name. #63337
  • Updated the OCI SDK to support new regions. #63265
  • Ensure application session rejections for untrusted devices are consistently audited as AppSessionStart failures after MFA. #63149
  • Added Helm chart support to the teleport-event-handler configure command. #63147
  • Added tctl support for removing okta_assignment internal resource should it be needed. #62698

Enterprise:

  • Prevented manual membership changes to SCIM-type access lists while enabling support for their reviews.
  • Fixed the issue where Okta integration may not remove previously synced apps after plugin restart.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.16

03 Feb 00:20
@aadc-dev aadc-dev
v17.7.16
323893d
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.16

Description

  • Improved robustness of the Slack hosted plugin to reduce the likeliness of failed token refresh when experiencing external disruption. #63347
  • Ensure application session rejections for untrusted devices are consistently audited as AppSessionStart failures after MFA. #63260
  • Fixed a CredentialContainer error when attempting to log in to the Web UI with a hardware key using Firefox >=147.0.2. #63246
  • Updated OpenSSL to 3.0.19. #63203

Enterprise:

  • Mitigated a race in the Slack token refresh logic.
  • Fixe the issue where Okta integration may not remove previously synced apps after plugin restart.
  • Added support for multi-arch lock file population for the terraform provider.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.5

29 Jan 21:14
@fheinecke fheinecke
v18.6.5
4bc3277
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.5

Description

  • Fixed a CredentialContainer error when attempting to log in to the Web UI with a hardware key using Firefox >=147.0.2. #63245
  • Added support for deleting cluster alerts via tctl alerts rm <alertID> command. #63211
  • Updated OpenSSL to 3.0.19. #63202
  • Added support for injecting Teleport-issued ID tokens into outgoing MCP requests, enabling integrations with MCP servers such as the AWS Bedrock AgentCore MCP Gateway that can validate tokens via OIDC discovery URL. #63156
  • Export "additional_trusted_keys" when exporting TLS CAs, which includes new certificates generated in the "init" rotation phase. Reflected in "tctl auth export" and the "/webapi/auth/export" endpoint. #63134
  • Updated indirect dependency go-chi/chi/v5 (addresses GO-2026-4316). #63092
  • The tbot systemd install command now supports a --pid-file flag for setting the path to the PID file. #63039
  • Allow kubeconfig and context to be explicitly configured for tbot kubernetes_secret destination. #63037
  • Implemented "tctl get cert_authority/catype", in addition to the already existing "tctl get cert_authority" and "tctl get cert_authority/catype/domain". #63027
  • Added a Terraform module to configure Teleport and AWS for EC2 discovery in an AWS account. #63004
  • Added opt-in support to bootstrap the teleport-plugin-event-handler helm chart with MWI to auto-join Teleport clusters when Operator is enabled. #63001
  • Added permissions to the editor role allowing users to view autoupdate agent reports. #62973
  • Improved performance of large search queries for DynamoDB event backend. #62890
  • Introduced tbot-spiffe-daemon-set helm chart for deploying a Daemon Set of tbot agents which serve SPIFFE SVIDs to Kubernetes pods via the SPIFFE Workload API. #62583

Enterprise:

  • Fixed an issue with the legacy Azure OIDC IdP SSO issuer=sts.windows.net where Teleport was unable to map Teleport roles from the groups claim available in the id_token.
  • Added updated resources to SCIM audit events that create or change SCIM resources.
  • Support multi-arch lock file population for the terraform provider.
  • Added audit events to SCIM PATCH operations.
  • Updated Entra ID plugin to support importing Entra ID group owners as Access List owners.
  • Replaced enterprise downloads list view in Web UI with links to Public Downloads page.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.15

27 Jan 19:29
@fheinecke fheinecke
v17.7.15
f1db778
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.15

Description

  • Updated indirect dependency go-chi/chi/v5 (addresses GO-2026-4316). #63093
  • The tbot systemd install command now supports a --pid-file flag for setting the path to the PID file. #63038
  • Fixed GCS session recording backend not respecting rate limits. #62987
  • Made the teleport-cluster Helm chart job resources configurable again via the jobResources value. #62924
  • Reverted a disruptive change from v17.7.11: teleport-cluster Helm chart uses resources for Jobs again. If set jobResources takes precedence. This will change in v18, only jobResources will be used. #62924

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.4

21 Jan 15:49
@aadc-dev aadc-dev
v18.6.4
bf7b201
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.4

Description

  • Fixed GCS session recording backend not respecting rate limits. #62986
  • Fixed a bug where members of a former owner Access List retain the owner permissions grants of the former owned Access List. It also fixes the issue with not being able to delete a former owner Access List. Please note: this could only happen if the owner Access List ownership was removed via the web UI. #62979
  • Tctl commands executed from Teleport Connect now target the current root cluster with the TELEPORT_AUTH_SERVER env var, similar to how it works for tsh; this behavior can be turned off in the config file. #62923
  • Made the teleport-cluster Helm chart job resources configurable again via the jobResources value. #62922
  • Updated Go to 1.24.12. #62885
  • Fixed launching AWS Identity Center from Teleport Connect. #62840
  • Removed erroneous pair-wise subject type from Teleport's OpenID configuration. #62835
  • Fixed renewed X509-SVIDs not being proactively sent to Envoy instances. #62830
  • Fix an issue MCP Session Listen events may spam audit log with app service error malformed line in SSE stream: &#34;&#34;. #62811
  • Added automatic client certificate reloading option for postgres backends. #62747
  • Fixed an issue that would prevent tsh from working when the 1password SSH agent is running. #62736
  • Add tbot wait API and helper to let scripts wait for bots to become ready. #62719
  • MWI: Add support for templating secret annotations in the tbot's kubernetes/argo-cd service. #62709
  • Add quicksight.aws.amazon.com as valid URL for AWS Console access. #62700
  • Fixed potential delay in updating User Task status for Discovery resources. #62699
  • Fixed an issue where logging in to the Web UI with Device Trust would lose query params of the redirect URL. #62677
  • Fixed an issue where Teleport Connect could generate a flurry of notifications about not being able to connect to a resource. #62671
  • Fixed issuance of wildcard DNS SANs with Workload Identity. #62667
  • Fixed a memory leak in access list reminder notifications affecting clusters with more than 1000 pending Access List reviews. #62663
  • Added support for health checks to monitor cert authority availability and affect Teleport Auth readiness. #62637
  • Added IAM joining support from new AWS regions in asia. #62627
  • Added VNet config Create/Update/Delete audit events. #62618
  • Added cleanup of access entries for EKS auto-discovered clusters when they no longer match the filtering criteria and are removed. #62598
  • Added teleport debug metrics command. #62586
  • Fixed missing initialization of Azure IMDS clients, which could cause operational failures in some Teleport configurations deployed to Azure, in particular when accessing Azure SQL Server. #62579
  • Fixed some auto update audit events showing up as unknown in the web UI. #62547
  • The join tokens UI now indicates which tokens are managed by the Teleport Cloud platform. #62544
  • The tctl tokens add command now includes the CA pins in JSON and YAML output. #62536
  • Added teleport debug readyz command. #62532
  • Audit log and session uploader now respect region field of external_audit_storage resource when present. #62520
  • Added default routes to the web UI left nav top-level category buttons. #62502
  • Fixed an issue that prevented searching for users by role in the web UI. #62474
  • Fixed tilde expansion for moderated SFTP. #62453
  • Added support for standard TLS secret key names for helm charts: teleport-plugin-event-handler, teleport-cluster, teleport-operator, teleport-kube-agent. #62451
  • Added a plan modifier to recompute kubernetes_resources defaults during role version upgrades, fixing Terraform role upgrade issues. #62417
  • Fix an issue in the Teleport SSH Service where interactive PAM Auth modules always fail when trying to run exec sessions with tty allocated. e.g. tsh ssh --tty &lt;node&gt; ls. #62064

Enterprise:

  • Fixed an issue in the Entra ID integration where a user account with an unsupported username character / could prevent other valid users and groups to be synced to Teleport. Such user accounts are now filtered.
  • Cockroachdb: add automatic client certificate reloading option.
  • Enabled UI editing of Access List descriptions.
  • Added protections against replay attacks when IdP-initiated SAML is enabled.
  • Added Access Automations Terraform dialog.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.14

16 Jan 23:40
@aadc-dev aadc-dev
v17.7.14
a3ddd77
This commit was signed with the committer’s verified signature.
aadc-dev Angel Dionisio
SSH Key Fingerprint: jY4y60vmj4+3cRs/6JKlm9J6fIg+zjntdtY7y9yXTA8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.14

Description

  • Updated Go to 1.24.12. #62886
  • Fixed launching AWS Identity Center from Teleport Connect. #62870
  • Fixed renewed X509-SVIDs not being proactively sent to Envoy instances. #62829
  • Updated rustcrypto/rsa dependency to fix potential panic (CVE-2026-21895). #62769
  • Fixed an issue that would prevent tsh from working when the 1password SSH agent is running. #62737

Enterprise:

  • Fixed an issue in the Entra ID integration where a user account with an unsupported username character / could prevent other valid users and groups to be synced to Teleport. Such user accounts are now filtered.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 17.7.13

08 Jan 21:24
@fheinecke fheinecke
v17.7.13
bc44427
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 17.7.13

Description

  • Fixed an issue where logging in to the Web UI with Device Trust would lose query params of the redirect URL. #62678
  • Fixed an issue where Teleport Connect could generate a flurry of notifications about not being able to connect to a resource. #62672
  • Fixed issuance of wildcard DNS SANs with Workload Identity. #62669
  • Added IAM joining support from new AWS regions in asia. #62628
  • Added cleanup of access entries for EKS auto-discovered clusters when they no longer match the filtering criteria and are removed. #62599
  • Fixed some auto update audit events showing up as unknown in the web UI. #62548
  • The join tokens UI now indicates which tokens are managed by the Teleport Cloud platform. #62543
  • Audit log and session uploader now respect region field of external_audit_storage resource when present. #62519
  • Fixed an issue that prevented searching for users by role in the web UI. #62475
  • Acknowledging a cluster alert no longer requires the create permission. #62469
  • Fixed tilde expansion for moderated SFTP. #62454
  • Fixed a potential SSRF vulnerability in the Azure join method implementation. #62420
  • Updated github.com/quic-go/quic-go to 0.57.0 to mitigate CVE-2025-64702. #62294
  • Fixed issue where AltGr key combinations did not work correctly in remote desktop sessions. #62197
  • Fixed a memory leak in access list reminder notifications affecting clusters with more than 1000 pending Access List reviews. #62664

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.1

25 Dec 01:07
@doggydogworld doggydogworld
v18.6.1
05b9362
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.1

Description

  • Fixed an issue preventing text editors in the Web UI from allowing edits. #62488
  • Acking a cluster alert no longer requires the create permission. #62468
  • Fixed service health reason formatting for bot instances in the Web UI. #62328
  • Fixed an issue causing a ref type of "any" to be added when editing GitHub or Gitlab join tokens in the Web UI. #62487

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.6.0

23 Dec 01:44
@aadc-dev aadc-dev
v18.6.0
5e1296c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.6.0

Description

Identifier-first login enhancements

Teleport now automatically passes the username to the identifier provider when performing Identifier-first login with OIDC or SAML IdPs.

GitHub Actions Kubernetes Wizard

Teleport now ships with a new guided flow for setting up GitHub Actions workflows that connects to Teleport-protected Kubernetes clusters without secrets.

Other changes and improvements

  • Fixed unspecified proxy address breaking moderated SFTP when mixing IPv4 and IPv6. #62296
  • Added full configuration file for teleport-plugin-event-handler helm chart. #62280
  • Added full environment variable configuration for event handler CLI. #62280
  • Added support for extraArgs/extraEnv/extraLabels patterns for teleport-plugin-event-handler helm chart. #62266
  • Fixed issue where AltGr key combinations did not work correctly in remote desktop sessions. #62198
  • Added annotations support for teleport-plugin-event-handler helm chart. #62188
  • Added a new global configuration section auth_connection_config allowing users to configure the backoff behavior for Proxy and Agent instances connecting to the Auth Service. #62139
  • Fixed a potential SSRF vulnerability in the Azure join method implementation. #62406
  • Support for v8 roles has been added to the Terraform provider. #62380
  • Added support for selecting Kube agents as Managed Updates v2 canaries. Important: the default update group is corrected to "default" from "stable/cloud". #62211

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading

Teleport 18.5.1

12 Dec 21:59
@doggydogworld doggydogworld
v18.5.1
0d82e73
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Teleport 18.5.1

Description

  • Fixed Teleport instances running the Auth Service sometimes not becoming ready during initialization. #62194
  • Fixed an Auth Service bug causing the event handler to miss up to 1 event every 5 minutes when storing audit events in S3. #62150
  • Fixed bug where event handler dies on malformed session events. #62141
  • Updated event handler to ingest missing session recordings at twice the concurrency instead of only 10 sessions at a time. #62141
  • Changed "tsh --mfa-mode=cross-platform" to favor security keys on current Windows versions. #62134
  • Fixed "the client connection is closing" error happening under certain conditions in Teleport Connect when connecting to resources with per-session MFA enabled. #62127
  • Improved detail of error messages for identity service in tbot. #62120
  • Teleport Connect now supports expanding ~/ home-directory paths in the configuration file. #62104
  • Added support for --format flag for tsh request search. #62099
  • Fixed bug where event handler types filter is ignored for Teleport clients using Athena storage backend. #62082
  • Fixed intermittent issues with VNet on Windows when other NRPT rules from GPOs are present under HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig. #62052
  • Added Terraform provider support for teleport_integration resources. #62040
  • DiscoveryConfig resources can now be managed via the Teleport Terraform Provider. #62034
  • Reduced memory consumption of the Application service. #62014
  • Added support for listing application session recordings in tsh recording ls and the Web UI. #62010
  • Fixed a Web UI issue where the copy button for the session ID did not work for non-interactive session recordings. #62010
  • Prevented stuck teleport-cluster Helm chart rollouts in small Kubernetes clusters. Removed resource requests from configuration check hooks. #62003
  • Fixed static keypair creation in tbot keypair create when the --static-key-path flag is used. #61947
  • Re-enabled MySQL database health checks. MySQL health checks will now authenticate to the database as a user, rather than TCP dialing and closing the connection, to prevent MySQL from automatically blocking the Teleport database service instance host. The health check user name default is "teleport-healthchecker". #61942
  • Added support for templating secret_labels, and the {{.Labels}} template variable, to tbot's kubernetes/argo-cd output. #61876

Enterprise:

  • Updated AWS Identity Center integration sign-in start URL format to support AWS GovCloud accounts.
  • Fix a potential race where Okta assignments may never be cleaned up if the Okta integration is down while the assignment expires.
  • Created a dedicated Access Automations feature page within the Web UI.
  • Entra ID directory reconciler now overwrites user accounts created by the referenced SAML Auth Connector.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Loading