AIO2606 (v1.3.137) Public Release Notes
Release date: June 2026
Release type: Patch
Current GA version: 2606 · Version history
Azure IoT Operations (AIO) 2606 is a security and stability-focused patch release that delivers critical security vulnerability remediation across MQTT broker authorization, registry endpoints, and onboarding components, reliability improvements for OPC UA and dataflow connectors, and enhanced testing coverage for connector resilience.
Upgrade to 2606 from any supported GA version to ensure you receive the latest security patches and reliability enhancements. Staying current is recommended for continued support and reliability.
Release Highlights
-
Critical security vulnerability remediation: Addressed three high-priority security vulnerabilities including globe metacharacter injection in broker authorization, arbitrary audience/host token minting in registry endpoints, and incomplete ABAC conditions in onboarding role assignment.
-
OPC UA connector session management enhancements: Improved session lifecycle management with configurable method-execution client idle timeout and fixed issues preventing endpoints from transitioning between states correctly.
-
Dataflow health status and enrichment reliability: Fixed issues where dataflow health status could become stuck in a degraded state after transient failures, and resolved problems with the Map transform when enriching datasets with multiple records.
-
MQTT connector resilience improvements: Fixed an issue where async task panics could silently fail, addressed MQTT source status reporting on disconnect, and enhanced broker authorization handling with improved attribute matching validation.
Connectors
Fixes (MQTT)
- Connector async task panic handling: Fixed an issue where panics in connector async tasks could cause the MQTT connector to stop processing device data without surfacing a clear failure signal. The connector now properly surfaces and logs async task failures to enable faster diagnosis.
OPC UA
Fixes
-
Session management and idle timeout: Fixed an issue where OPC UA Commander opened and closed sessions too frequently in certain customer scenarios. The method-execution client idle timeout is now configurable, allowing operators to tune session lifecycle behavior for their specific workloads.
-
Action request expiration handling: Fixed an issue where actions were enqueued in the OPC UA execution queue even if the request had already expired. Expired requests are now properly rejected before reaching the execution queue.
-
Endpoint state transitions: Fixed an issue where changed endpoints never transitioned to other states, causing them to remain in an inconsistent state. Endpoints now correctly transition between states in response to configuration changes and operational events.
MQTT
Fixes
- Broker authorization attribute matching: Fixed an issue where MQ Broker authorization with attributes expected all attributes from the Security Access Token (SAT) to match configured patterns. Authorization validation now correctly handles partial attribute matching according to configured policies.
Dataflows
Fixes
-
Health status state machine recovery: Fixed an issue where dataflow graph health status could become stuck at Degraded after a download timeout. The health status state machine now correctly transitions out of degraded states when operations succeed.
-
Map transform enrichment with multi-record datasets: Fixed an issue where the 1P "Map" transform failed to enrich records when the context dataset contained multiple records and belonged to an asset. The enrichment logic now correctly handles multi-record context datasets.
-
Source status unavailability reporting on disconnect: Fixed an issue where the MQTT source status was not reporting unavailable when the connector disconnected. The source now correctly reports availability state changes on connection events.
Platform
Fixes
- Meta Operator recovery from transient failures: Fixed an issue where an Azure IoT Operations instance custom resource (CR) could become permanently stuck in Failed state after a transient upgrade failure. Instance recovery is now more resilient to temporary failures during upgrades and cluster scaling events.
Security
Fixes
-
Glob metacharacter injection in BrokerAuthorization: Fixed a critical security vulnerability where special characters in BrokerAuthorization state-store key pattern substitution could be interpreted as glob metacharacters, potentially allowing unauthorized access. Key pattern matching now properly escapes metacharacters.
-
RegistryEndpoint arbitrary audience/host for MSI token minting: Fixed a critical security vulnerability where RegistryEndpoint allowed arbitrary audience and host values when minting Managed Service Identity (MSI) tokens. Token minting now enforces strict validation of audience and host parameters.
-
Azure IoT Operations Onboarding role self-assignment: Fixed a critical security vulnerability where the Azure IoT Operations Onboarding role had incomplete Attribute-Based Access Control (ABAC) conditions, allowing identities to self-assign the Contributor role. ABAC conditions have been strengthened to prevent role self-escalation.
-
Schema Registry vulnerability remediation: Addressed security vulnerabilities in Schema Registry components by updating affected dependencies to patched versions.
Known Issues
- Inconsistent default authentication behavior on Akri Operator: The Akri Operator may display inconsistent default authentication behavior in certain configurations. Refer to updated documentation for recommended authentication configuration patterns.
- MQTT Connector blocks external MQTT brokers with private IPs. Starting 2605, if the external MQTT broker has a private IP, the MQTT connector will not connect to it. This will be fully resolved in 2607.