build(deps): bump github.com/hashicorp/vault/api from 1.0.5-0.20200717191844-f687267c8086 to 1.23.0

[dependabot]

Bumps github.com/hashicorp/vault/api from 1.0.5-0.20200717191844-f687267c8086 to 1.23.0.

Release notes

Sourced from github.com/hashicorp/vault/api's releases.

v1.21.4

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault/api's changelog.

1.15.16 Enterprise

October 09, 2024

SECURITY:

• secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) HCSEC-2024-21

IMPROVEMENTS:

• core: log at level ERROR rather than INFO when all seals are unhealthy. [GH-28564]

BUG FIXES:

• auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded. [GH-28597]
• auth/token: Fix token TTL calculation so that it uses max_lease_ttl tune value for tokens created via auth/token/create. [GH-28498]

1.15.15 Enterprise

September 25, 2024

SECURITY:

• secrets/ssh: require valid_principals to contain a value or default_user be set by default to guard against potentially insecure configurations. allow_empty_principals can be used for backwards compatibility [HCSEC-2024-20](https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/7025

CHANGES:

• core: Bump Go version to 1.22.7.
• secrets/ssh: Add a flag, allow_empty_principals to allow keys or certs to apply to any user/principal. [GH-28466]

BUG FIXES:

• secret/aws: Fixed potential panic after step-down and the queue has not repopulated. [GH-28330]
• auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG. [GH-28450]
• auth/cert: ocsp_ca_certificates field was not honored when validating OCSP responses signed by a CA that did not issue the certificate. [GH-28309]
• auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error. [GH-28441]
• core: Fixed an issue where maximum request duration timeout was not being added to all requests containing strings sys/monitor and sys/events. With this change, timeout is now added to all requests except monitor and events endpoint. [GH-28230]

1.15.14 Enterprise

August 29, 2024

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• core: Bump Go version to 1.22.6

IMPROVEMENTS:

• activity log: Changes how new client counts in the current month are estimated, in order to return more visibly sensible totals. [GH-27547]
• activity: /sys/internal/counters/activity will now include a warning if the specified usage period contains estimated client counts. [GH-28068]
• cli: vault operator usage will now include a warning if the specified usage period contains estimated client counts. [GH-28068]
• core/activity: Ensure client count queries that include the current month return consistent results by sorting the clients before performing estimation [GH-28062]

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: pr/no-changelog. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.