v0.17.0

Important changes

• Warpgate now automatically falls back to email if preferred_username is not available from an SSO provider when auto-creating new users - by @SteezyCougar in #1475

Features

• Added a Helm chart (beta) - by @alice-dops in #1502
• Added ML-KEM post-quantum key exchange by @kruton in #1527

Fixes

• SSH server doesnt offer ed25519 hostkey by @fpfeifferik in #1473
• Added diffie-hellman-group-exchange-sha256 to SSH key exchange list by @joseluisgonzalezca in #1493
• Canonicalize Oauth Redirect with cross domain session cookie by @SteezyCougar in #1476
• Spawn task immediately when accepting connection by @kruton in #1521
• Fixed --debug CLI option by @kruton in #1526

Docs

• Correct dependency install command by @LarsSven in #1506

New Contributors

• @fpfeifferik made their first contribution in #1473
• @SteezyCougar made their first contribution in #1475
• @LarsSven made their first contribution in #1506
• @step-security-bot made their first contribution in #1508
• @kruton made their first contribution in #1521

Full Changelog: v0.16.0...v0.17.0

v0.16.0

Security fixes

• 3c003fc - fixed CVE-2025-54804
  • This vulnerability has allowed a malicious authenticated client or target server to trigger a Rust panic in Warpgate and potentially cause a service restart

Major changes

• Docker image : add healthcheck, linting and run as regular user by @hugosxm in #1433
  • The Docker image now runs under UID 1000 instead of 0. Depending on your setup, this might cause permission errors when trying to access the Warpgate data files, you might have to chmod them. Run Docker with --uid 0 to revert to the old, less safe behaviour.
• Added bandwidth limiting support in #1443
  • You can set bandwidth limits globally, per user and per target - works for SSH, MySQL and Postgres targets.

Changes

• Warpgate now sets TCP_NODELAY for better performance - in #1447 and by @tom-90 in #1449

Fixes

• fd6607b - fix channels losing unflushed data when closing
• 4d5ebe4 - fix SCP hangups
• 05235d9 - fixed incorrect relative path resolution in setup
• 5a4b295 - fixed #1424 - OOB UI fails with repeating characters
• version attribute is obsolete by @ulab in #1435
• 8ad6972 - fixed #1442 - unnecessary get_info auth restrictions

New Contributors

• @hugosxm made their first contribution in #1433
• @ulab made their first contribution in #1435
• @tom-90 made their first contribution in #1449

Full Changelog: v0.15.0...v0.16.0

v0.15.0

Features

• fixed #1104 - SNI support in #1402 - see https://warpgate.null.page/sni/
• fixed #1220 - direct-streamlocal (local UNIX socket forwarding) support in 103a480
• fixed #1368 - correctly generate version number in docker in #1372
• fixed #954 - enable gzip support for http targets in 9e144f8
• fixed #1367 - replace Swagger with Stoplight Elements in the API playground and add a note about token header in 1df9b45

Fixes

• fixed #1381 - skip password auth in postgres if not required in #1383
• fix(panel): fix user profile link by @joseluisgonzalezca in #1384
• feat(http): support for insecured websocket connections if TLS Verifyflag is disabled by @joseluisgonzalezca in #1385
• fix(logs): normalize logs timestamp format with fixed sub-second digits by @joseluisgonzalezca in #1387
• fix(auth): skip web approval auth method only if there are other authentication methods available by @joseluisgonzalezca in #1390
• fixed #1396 - fixed API token auth for getAllTargets API in #1397
• fixed #1395 - preselect current user in access instructions modal by @Eugeny in #1405
• fixed #1404 - SSO user autocreation not working with Entra ID by @Eugeny in #1406
• fixed #1411 - duplicate Host header sent to HTTP/2 targets by @Eugeny in #1412

New Contributors

• @joseluisgonzalezca made their first contribution in #1384

Full Changelog: v0.14.1...v0.15.0

v0.15.0-beta.2

Fixes

• fixed #1395 - preselect current user in access instructions modal by @Eugeny in #1405
• fixed #1404 - SSO user autocreation not working with Entra ID by @Eugeny in #1406

Full Changelog: v0.15.0-beta.1...v0.15.0-beta.2

v0.15.0-beta.1

Features

• fixed #1104 - SNI support in #1402 - see https://warpgate.null.page/sni/
• fixed #1220 - direct-streamlocal (local UNIX socket forwarding) support in 103a480
• fixed #1368 - correctly generate version number in docker in #1372
• fixed #954 - enable gzip support for http targets in 9e144f8
• fixed #1367 - replace Swagger with Stoplight Elements in the API playground and add a note about token header in 1df9b45

Fixes

• fixed #1381 - skip password auth in postgres if not required in #1383
• fix(panel): fix user profile link by @joseluisgonzalezca in #1384
• feat(http): support for insecured websocket connections if TLS Verifyflag is disabled by @joseluisgonzalezca in #1385
• fix(logs): normalize logs timestamp format with fixed sub-second digits by @joseluisgonzalezca in #1387
• fix(auth): skip web approval auth method only if there are other authentication methods available by @joseluisgonzalezca in #1390
• fixed #1396 - fixed API token auth for getAllTargets API in #1397

New Contributors

• @joseluisgonzalezca made their first contribution in #1384

Full Changelog: v0.14.1...v0.15.0-beta.1

v0.14.1

Fixes

• c0de2f0: fixed #1366 - API crash

v0.14.0

Major changes

• 863af5e: #1323 - In-browser auth (2FA/SSO) support for PostgreSQL (#1338) #1338
• 53971dc: #1334 New in-browser auth requests will automatically show up on the Warpgate homepage if the user is logged in (#1335) #1335
• ec98c3d: Option to check and accepting SSH target's host keys from the admin UI (#1307) #1307

Changes

• Deleting an SSH target will now auto-remove its known hosts entry (#1300) #1300 (Chinmay Pai)
• Prefer SSO provider buttons will prefer label over name in the login UI (Eugene)
• 4533401: Warpgate will now forward HTTP basic auth credentials (if present) from an HTTP target's URL correctly (#1343) #1343
• cea7acc: #1281 - Added description fields for most objects (#1294) #1294
• 9841421: #1281 - List role members and targets in the UI (#1295) #1295
• 6b22399: Added SBOMs to release artifacts (#1289) #1289
• 74ca553: Add "getting started" hints to the UI (#1344) #1344

Fixes

• Fixed Warpgate attempting RSA key auth against a target too many times, exhausting the OpenSSH limits (#1274) #1274 (Eugene)
• 95dce41: Fix SSH Client to respond to keyboard-interactive when target has optional 2FA (#1273) (samtoxie) #1273
• 51c8937: fixed frontend crash in list pagination
• 5d3a8ac: Force the config file format to YAML (#1299) (Mice7R) #1299
• 4b74303: #1271 - modals are invisible with prefers-reduced-motion
• 0a3e444: fixed #1285 - unable to add public keys via credentials self-service
• 26a9c99: fixed #1326 - UI allowing duplicate target names (#1328) #1328
• d465586: fixed enter key handling in the "create target" form
• b4076ef: fixed #1320 - JDBC based Postgres clients not connecting
• 87b409b: SQL content of prepared Postgres queries were not logged
• 5ee29b9: fixed #1337 - automatically strip the public key comment when setting via the API
• 2381f55: fixed #972 - SSH server not offering keyboard-interactive when only OOB or SSO auth is enabled for a user
• 9bc1c9d: fixed #1346 - changing own password does not remove existing passwors
• 33803f1: fixed #1336 - correctly parse ECC certificates - no longer handle incorrect PEM header
• 331af97: fixed #1356 - generate config schema (#1357) #1357

v0.14.0-beta.3

Fixes

• 33803f1: fixed #1336 - correctly parse ECC certificates - no longer handle incorrect PEM header
• 331af97: fixed #1356 - generate config schema (#1357) #1357

v0.14.0-beta.2

Changes

• UI updates

Fixes

• 9bc1c9d: fixed #1346 - changing own password does not remove existing passwors

v0.14.0-beta.1

Changes

• 863af5e: fixed #1323 - In-browser auth (2FA/SSO) support for PostgreSQL (#1338) #1338
• 53971dc: #1334 New in-browser auth requests will automatically show up on the Warpgate homepage if the user is logged in (#1335) #1335
• Deleting an SSH target will now auto-remove its known hosts entry (#1300) #1300 (Chinmay Pai)
• ec98c3d: Offer checking and accepting SSH host keys from the admin UI (#1307) #1307
• Prefer SSO provider buttons will prefer label over name in the login UI (Eugene)
• 4533401: Warpgate will now forward HTTP basic auth credentials (if present) from an HTTP target's URL correctly (#1343) #1343
• cea7acc: #1281 - Added description fields for most objects (#1294) #1294
• 9841421: #1281 - List role members and targets in the UI (#1295) #1295
• 6b22399: Added SBOMs to release artifacts (#1289) #1289
• 74ca553: Add a "getting started" hints to the UI (#1344) #1344

Fixes

• Fixed Warpgate attempting RSA key auth against a target too many times, exhausting the OpenSSH limits (#1274) #1274 (Eugene)
• 95dce41: Fix SSH Client to respond to keyboard-interactive when target has optional 2FA (#1273) (samtoxie) #1273
• 51c8937: fixed frontend crash in list pagination
• 5d3a8ac: Force the config file format to YAML (#1299) (Mice7R) #1299
• 4b74303: #1271 - modals are invisible with prefers-reduced-motion
• 0a3e444: fixed #1285 - unable to add public keys via credentials self-service
• 26a9c99: fixed #1326 - UI allowing duplicate target names (#1328) #1328
• d465586: fixed enter key handling in the "create target" form
• b4076ef: fixed #1320 - JDBC based Postgres clients not connecting
• 87b409b: SQL content of prepared Postgres queries were not logged
• 5ee29b9: fixed #1337 - automatically strip the public key comment when setting via the API
• 2381f55: fixed #972 - SSH server not offering keyboard-interactive when only OOB or SSO auth is enabled for a user