·
12 commits
to main
since this release
2026 H1 Operator Release
Update to all Private Operators on all cloud providers.
Integration Guides
AWS Marketplace
GCP Confidential Space
Microsoft Azure
Release Notes
Performance Improvements
This release includes per-request optimizations that reduce CPU usage on common workloads:
- Crypto optimization: AES-GCM encryption/decryption now caches cipher instances and pre-allocates buffers
- Reduced overhead in HTTP path metric filtering and log masking
Bug Fixes
- Fixed clock/time drift seen in AWS private operators
Configuration / Deployment Changes
- Standardized enclave CPU and memory allocations across all cloud deployment templates to 6vCPU/24GB
- AWS: minimum enclave size (6vCPU/24GB) is now enforced at startup
- Azure: CCE policy generation is now registry-agnostic, supporting operator images served from an alternative container registry
- Azure: Upgrade SKR sidecar version
- GCP: default
max_replicasreduced to 1 in Terraform template
API Changes
- Removed the legacy
optout_checkfield from/token/generate. Opted-out users now always receive an opt-out response.
Security Updates
- Upgraded base images and OS packages to address security vulnerabilities (gnutls, musl, libpng, OpenSSL, libexpat)
- Upgraded Netty to 4.1.135.Final
Full Changelog
All changes since v5.62.24-r2
Operator
service_instances, which controls the number of Verticle instances, now defaults to the vCPU count (#2413)- Removed the legacy
optout_checkfield (#2292) - Removed Special Feature 1 (precise geolocation) consent validation for EUID token generation (#2338)
- AES-GCM cipher caching optimization via uid2-shared (#2284)
- Switched ECDH key agreement to ACCP for client-side token generation (#2276)
- Optimized HTTP path metric filtering (#2270)
- Added null check to
getApiContact(#2374) - New metrics: opt-out record counts (#2255), salt effective-timestamp (#2397),
path/dii_typelabels on identity map metrics (#2429) - Updated salt bucket expiration handling (#2243)
- Aligned enclave CPU/memory standards across all cloud platforms (#2240)
AWS
- Enforce minimum enclave size (6 vCPU / 24 GB) at startup (#2580)
- Default
core_base_url/optout_base_urlinferred from identity scope + environment when missing from the operator secret (#2573) - Fixed enclave clock drift via periodic time sync (#2300)
- Updated dante SOCKS proxy to 1.4.4 (#2415)
Azure
- Upgraded SKR sidecar to 2.14 for Azure CC (#2559) and AKS (#2571)
- Operator now waits for the SKR sidecar to be ready before starting (#2561)
- CCE policy generation uses
--omit-id, making policies registry-agnostic (#2567)
GCP
- Default
max_replicasreduced to 1 in the Terraform template (#2588)
Security & dependencies
- Netty upgraded to 4.1.132.Final (#2469) and then 4.1.135.Final (#2593)
- Base image updates: eclipse-temurin / JRE Alpine 3.23 (#2259, #2267, #2325, #2349)
- gnutls upgrades in Azure CC and GCP OIDC images (#2530, #2548)
- musl/musl-utils 1.2.5-r23 (#2494); libcrypto3/libssl3 (#2488); libpng (#2316); urllib3 in AWS scripts (#2536); zlib/libexpat/jackson-core and other non-exploitable findings triaged in
.trivyignore(#2401, #2405, #2426, #2457, #2473, #2516, #2526)