ent-changelog-1.18.16

Breaking Changes

📅 Dec 2, 2025📦 consul-connectView on GitHub →

⚠ 1 breaking✨ 1 features🐛 6 fixes⚡ 2 deprecations🔧 5 symbols

Summary

This release shares the Consul Enterprise changelog, introduces a new enterprise API endpoint, and addresses several critical security vulnerabilities through improved validation and DoS mitigation. The UI has also undergone significant modernization to address Ember deprecations.

⚠️ Breaking Changes

Key/value endpoint now enforces key name validation by default to fix path traversal attacks (CVE-2025-11392). To disable this new validation, use the `DisableKVKeyValidation` configuration option.

Migration Steps

If you rely on unvalidated key names in the KV endpoint, you must now explicitly set `DisableKVKeyValidation` to true in your configuration to maintain previous behavior, though this is discouraged due to security risks.

✨ New Features

Added a new enterprise API endpoint `/v1/operator/utilization` for Manual Snapshot Reporting.

🐛 Bug Fixes

Fixed proxied URL path validation to prevent path traversal.
Fixed potential denial of service attacks on the Consul KV endpoint by improving Content-Length header validation (CVE-2025-11374).
Fixed denial-of-service (DoS) attacks on the event endpoint by adding a maximum Content-Length (CVE-2025-11375).
Fixed computed property override issues in the UI occurring due to Ember v4 deprecations.
Fixed UI issue where namespaces disappeared and the Welcome to Namespace screen appeared after tab switching.
Fixed UI issue where the three dots menu stopped responding after deleting multiple tokens or policies.

🔧 Affected Symbols

/v1/operator/utilizationConsul KV endpointevent endpointRoute#renderTemplateember-component-send-action

⚡ Deprecations

The UI has removed deprecated `Route#renderTemplate` usage.
The UI has removed `send action` instances as part of Ember deprecations.