v1.11.1

1.11.1 (December 09, 2025)

BREAKING CHANGES:

• docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

• build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

• connect: allow configuring identities for sidecar_task [GH-25877]
• landlock: check paths exist on setup [GH-27149]
• oidc: add support for array-based OIDC claims [GH-26958]
• qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
• secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

• acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
• acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
• api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
• cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
• client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
• csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
• drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
• dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
• dynamic host volumes: fix Windows compatibility [GH-27147]
• fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
• keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
• keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
• oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
• reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
• scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
• scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
• server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
• ui: Fixed the error message presented for invalid Variables definitions [GH-26235]

v1.11.0

1.11.0 (November 11, 2025)

FEATURES:

• Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
• Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
• scheduler: Enable deployments for system jobs [GH-26708]
• secrets: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]

BREAKING CHANGES:

• metrics: Eval broker metrics that previously used the job ID as a label will now use the parent ID of dispatch and periodic jobs [GH-26737]
• sysbatch: Submitting a sysbatch job with a reschedule block will now return an error instead of being silently ignored [GH-26279]

SECURITY:

• build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
• build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
• job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

• api: The Evaluations.Info method of the Go API now populates the RelatedEvals field. [GH-26156]
• build: Add tzdata to Docker container final image [GH-26794]
• build: Updated Go to 1.25.1 [GH-26823]
• cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
• cli: Added related evals and placed allocations tables to the eval status command, and exposed more fields without requiring the -verbose flag. [GH-26156]
• config: Added job_max_count option to limit number of allocs for a single job [GH-26858]
• consul connect: Allow cni/* network mode; use at your own risk [GH-26449]
• install (Enterprise): Updated license information displayed during post-install [GH-26791]
• metrics: Reduce memory usage on the Nomad leader for collecting eval broker metrics. [GH-26737]
• reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]
• scheduler: Add reconciler annotations to the output of the eval status command [GH-26188]
• scheduler: Debug-level logs emitted by the scheduler are now single-line structured logs [GH-26169]
• scheduler: For service and batch jobs, the scheduler no longer includes stops for already-stopped canaries in plans it submits. [GH-26292]
• scheduler: For service and batch jobs, the scheduler treats a group.count=0 identically to removing the task group from the job, and will stop all non-terminal allocations. [GH-26292]

DEPRECATIONS:

• api: the Resources and Reserved fields on the Node struct in the Go API are deprecated and will be removed in Nomad 1.12.0. Use the NodeResources and ReservedResources fields instead [GH-26951]

BUG FIXES:

• acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
• auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
• build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
• client: Fix unique identifiers for templates with same content [GH-26880]
• client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
• consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
• core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
• csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
• csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
• docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
• keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
• networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
• scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
• scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
• scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
• state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
• ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
• windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

v1.8.18 (Enterprise)

SECURITY:

• build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
• build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
• job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

• build: Add tzdata to Docker container final image [GH-26794]
• build: Updated Go to 1.25.1 [GH-26823]
• install (Enterprise): Updated license information displayed during post-install [GH-26791]
• reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]

BUG FIXES:

• acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
• auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
• build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
• client: Fix unique identifiers for templates with same content [GH-26880]
• client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
• consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
• core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
• csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
• csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
• docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
• keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
• multiregion (Enterprise): fixes a bug where multiregion deployments could become deadlocked
• multiregion: fixes a bug where unblocking region could make unnecessary queries to other regions
• scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
• scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
• scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
• state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
• ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
• windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

v1.10.6 (Enterprise)

SECURITY:

• build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
• build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
• job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

• build: Add tzdata to Docker container final image [GH-26794]
• build: Updated Go to 1.25.1 [GH-26823]
• cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
• install (Enterprise): Updated license information displayed during post-install [GH-26791]
• reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]

BUG FIXES:

• acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
• auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
• build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
• client: Fix unique identifiers for templates with same content [GH-26880]
• client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
• consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
• core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
• csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
• csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
• docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
• keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
• networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
• scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
• scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
• scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
• state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
• ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
• windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

v1.11.0-rc.1

Changes since v1.10:

FEATURES:

• Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
• Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
• Job Specification Secrets Block: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]
• System Job Deployment: Enable deployments for system jobs [GH-26708]

BREAKING CHANGES:

• metrics: Eval broker metrics that previously used the job ID as a label will now use the parent ID of dispatch and periodic jobs [GH-26737]
• sysbatch: Submitting a sysbatch job with a reschedule block will now return an error instead of being silently ignored [GH-26279]

SECURITY:

• build: Update go-getter to 1.8.3 that prevents a partially written file from remaining on disk with permissions that didn't include the umask. [GH-27034]
• build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]
• job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation [GH-27001]

IMPROVEMENTS:

• api: The Evaluations.Info method of the Go API now populates the RelatedEvals field. [GH-26156]
• build: Add tzdata to Docker container final image [GH-26794]
• build: Updated Go to 1.25.1 [GH-26823]
• cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
• cli: Added related evals and placed allocations tables to the eval status command, and exposed more fields without requiring the -verbose flag. [GH-26156]
• config: Added job_max_count option to limit number of allocs for a single job [GH-26858]
• consul connect: Allow cni/* network mode; use at your own risk [GH-26449]
• install (Enterprise): Updated license information displayed during post-install [GH-26791]
• metrics: Reduce memory usage on the Nomad leader for collecting eval broker metrics. [GH-26737]
• reporting (Enterprise): Include product usage metrics with license utilization reports [GH-27005]
• scheduler: Add reconciler annotations to the output of the eval status command [GH-26188]
• scheduler: Debug-level logs emitted by the scheduler are now single-line structured logs [GH-26169]
• scheduler: For service and batch jobs, the scheduler no longer includes stops for already-stopped canaries in plans it submits. [GH-26292]
• scheduler: For service and batch jobs, the scheduler treats a group.count=0 identically to removing the task group from the job, and will stop all non-terminal allocations. [GH-26292]

DEPRECATIONS:

• api: the Resources and Reserved fields on the Node struct in the Go API are deprecated and will be removed in Nomad 1.12.0. Use the NodeResources and ReservedResources fields instead [GH-26951]

BUG FIXES:

• acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
• auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
• build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
• client: Fix unique identifiers for templates with same content [GH-26880]
• client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
• consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
• core: Fixed a bug where GC batch sizes for jobs resulted in excessively large Raft logs [GH-26974]
• csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
• csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
• docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
• keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
• networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
• scheduler: Fixed scheduling behavior of batch job allocations [GH-26961]
• scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
• scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
• state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
• ui: Fixed a bug where action fly-outs would fail to open due to a missing module [GH-26833]
• windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

v1.11.0-beta.1

FEATURES:

• Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
• Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
• Job Specification Secrets Block: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]
• System Job Deployments: Enable deployments for system jobs [GH-26708]

BREAKING CHANGES:

• metrics: Eval broker metrics that previously used the job ID as a label will now use the parent ID of dispatch and periodic jobs [GH-26737]
• sysbatch: Submitting a sysbatch job with a reschedule block will now return an error instead of being silently ignored [GH-26279]

SECURITY:

• build: Update toolchain to Go 1.25.2 to address Go stdlib CVE-2025-61724, CVE-2025-61725, CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58188, and CVE-2025-58183 [GH-26909]

IMPROVEMENTS:

• api: The Evaluations.Info method of the Go API now populates the RelatedEvals field. [GH-26156]
• build: Add tzdata to Docker container final image [GH-26794]
• build: Updated Go to 1.25.1 [GH-26823]
• cli: Add -preserve-resources flag for keeping resource block when updating jobs [GH-26841]
• cli: Added related evals and placed allocations tables to the eval status command, and exposed more fields without requiring the -verbose flag. [GH-26156]
• config: Added job_max_count option to limit number of allocs for a single job [GH-26858]
• consul connect: Allow cni/* network mode; use at your own risk [GH-26449]
• install (Enterprise): Updated license information displayed during post-install [GH-26791]
• metrics: Reduce memory usage on the Nomad leader for collecting eval broker metrics. [GH-26737]
• scheduler: Add reconciler annotations to the output of the eval status command [GH-26188]
• scheduler: Debug-level logs emitted by the scheduler are now single-line structured logs [GH-26169]
• scheduler: For service and batch jobs, the scheduler no longer includes stops for already-stopped canaries in plans it submits. [GH-26292]
• scheduler: For service and batch jobs, the scheduler treats a group.count=0 identically to removing the task group from the job, and will stop all non-terminal allocations. [GH-26292]

BUG FIXES:

• acl: Fixed a bug where ACL policies would silently accept invalid or duplicate blocks [GH-26836]
• auth: Fixed a bug where workload identity tokens could not be used to list or get policies from the ACL API [GH-26772]
• build: Updated toolchain to Go 1.25.3 to address bug in TLS certificate validation [GH-26949]
• client: Fix unique identifiers for templates with same content [GH-26880]
• client: restore task network status on client restart so restarted tasks receive proper networking environment variables, hosts file, and resolv.conf. [GH-26699]
• consul (Enterprise): Fixed a bug where Consul fingerprinting would generate warning logs if there was no default cluster [GH-26787]
• csi: Fixed a bug where multiple node plugin RPCs could be in-flight for a single volume [GH-26832]
• csi: Fixed a bug where volumes could be unmounted while in use by a task that was shutting down [GH-26831]
• docker: Fixed a bug where cpu usage percentage was incorrectly measured when container was stopped [GH-26902]
• keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false [GH-26664]
• networking: Fixed network interface detection failure with bridge or CNI mode on IPv6-only interfaces [GH-26910]
• scheduler: allow use of different vendor/models when checking for device counts while filtering feasible nodes [GH-26649]
• scheduler: fixes a bug selecting nodes for updated jobs with ephemeral disks when nodepool changes [GH-26662]
• state: Fixed a bug where the server could panic when attempting to remove unneeded evals from the eval broker [GH-26872]
• windows: Fixed a bug where agents would not gracefully shut down on Ctrl-C [GH-26780]

v1.9.13 (Enterprise)

1.9.13 Enterprise (September 19, 2025)

SECURITY:

• build: Update go-getter to 1.7.9 to address CVE-2025-8959. Nomad Client Agents with Landlock support are not impacted by this vulnerability. [GH-26533]
• client: inspect artifacts for sandbox escape when landlock is unavailable [GH-26608]

IMPROVEMENTS:

• config: Validate the keyring configuration block label against supported values on agent startup [GH-26673]
• scheduling: Improve performance of scheduling when checking reserved ports usage [GH-26712]
• ui: Updated icons to the newest design system [GH-25353]

BUG FIXES:

• consul: Fixed a bug where restarting the Nomad agent would cause Consul ACL tokens to be recreated [GH-26604]
• dispatch: Fixed a bug where evaluations were not created atomically with dispatched jobs, which could prevent dispatch jobs from creating allocations [GH-26710]
• exec: Adjust USER and HOME env vars when user value is set [GH-25859]
• exec: Correctly set the LOGNAME env var when the job specification user value is set [GH-26703]
• logs: skip logging SIGPIPE [GH-26582]

v1.8.17 (Enterprise)

1.8.17 Enterprise (September 19, 2025)

SECURITY:

• build: Update go-getter to 1.7.9 to address CVE-2025-8959. Nomad Client Agents with Landlock support are not impacted by this vulnerability. [GH-26533]
• client: inspect artifacts for sandbox escape when landlock is unavailable [GH-26608]

IMPROVEMENTS:

• config: Validate the keyring configuration block label against supported values on agent startup [GH-26673]
• scheduling: Improve performance of scheduling when checking reserved ports usage [GH-26712]
• ui: Updated icons to the newest design system [GH-25353]

BUG FIXES:

• consul: Fixed a bug where restarting the Nomad agent would cause Consul ACL tokens to be recreated [GH-26604]
• dispatch: Fixed a bug where evaluations were not created atomically with dispatched jobs, which could prevent dispatch jobs from creating allocations [GH-26710]
• exec: Adjust USER and HOME env vars when user value is set [GH-25859]
• exec: Correctly set the LOGNAME env var when the job specification user value is set [GH-26703]
• logs: skip logging SIGPIPE [GH-26582]

v1.10.5

1.10.5 (September 09, 2025)

SECURITY:

• build: Update Go to 1.24.7 to address CVE-2025-47910 [GH-26713]
• build: Update go-getter to 1.7.9 to address CVE-2025-8959. Nomad Client Agents with Landlock support are not impacted by this vulnerability. [GH-26533]
• client: inspect artifacts for sandbox escape when landlock is unavailable [GH-26608]

IMPROVEMENTS:

• agent: Allow agent logging to the Windows Event Log [GH-26441]
• cli: Add commands for installing and uninstalling Windows system service [GH-26442]
• config: Validate the keyring configuration block label against supported values on agent startup [GH-26673]
• scheduling: Improve performance of scheduling when checking reserved ports usage [GH-26712]

BUG FIXES:

• consul: Fixed a bug where restarting the Nomad agent would cause Consul ACL tokens to be recreated [GH-26604]
• csi: fix EOF error when registering volumes [GH-26642]
• dispatch: Fixed a bug where evaluations were not created atomically with dispatched jobs, which could prevent dispatch jobs from creating allocations [GH-26710]
• exec: Adjust USER and HOME env vars when user value is set [GH-25859]
• exec: Correctly set the LOGNAME env var when the job specification user value is set [GH-26703]
• logs: skip logging SIGPIPE [GH-26582]

v1.9.12 (Enterprise)

1.9.12 Enterprise (August 13, 2025)

SECURITY:

• build: Update Go to 1.24.3 to address CVE-2025-47906 [GH-26451]

BUG FIXES:

• alloc exec: Fixed executor panic when exec-ing a rootless raw_exec task [GH-26401]
• client: run all allocrunner postrun (cleanup) hooks, even if any of them error [GH-26271]
• consul: Add AllocIPv6 option to allow IPv6 address being used for service registration [GH-25632]
• jobspec: Validate required hook field in lifecycle block [GH-26285]
• reporting (Enterprise): Fixed a bug where older servers could panic if the leader upgrades to version with offline reporting
• services: Fixed a bug where Nomad services were deleted if a node missed heartbeats and recovered before allocs were migrated [GH-26424]