Update ghcr.io/warp-tech/warpgate Docker tag to v0.24.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
ghcr.io/warp-tech/warpgate	minor	v0.8.1 → 0.24.1

---

Release Notes

warp-tech/warpgate (ghcr.io/warp-tech/warpgate)

v0.24.1

Compare Source

Fixes

• Fixed the bug where clicking SSH connection instructions would open both instructions and WebSSH

Full Changelog: warp-tech/warpgate@v0.24.0...v0.24.1

v0.24.0

Compare Source

WebSSH update

This is a large feature release bringing a web-based SSH terminal and self-service ticket requests.

Migrating

If you use domain binding with SSO and want to use the bound domain for the SSO return URL, you'll need to set the new return_url_domain option to host_header - see more at https://warpgate.null.page/sso/#domain-handling

New features

Web SSH #​1943

Your users will now be able to connect to their SSH targets directly from the web browser. The terminal supports multiple tabs and single file transfers via ZMODEM.

Clicking an SSH target will open the terminal by default, but this can be changed under Config > Global parameters.

Default roles #​1923

Roles can now be marked "default", which will auto-assign them to any newly created users.

Self-serve tickets #​1818

_{by @​SteezyCougar}

If enabled under Config > Global parameters, users will be able to request ticket creation from their profile page. Admins will be able to see and approve/reject these requests on the Ticket admin page. Tickets for already allowed targets can be optionally auto-approved.

Changes

• Sectioned forms for users and targets by @​Eugeny in #​1961
• fixed #​1975, fixed #​1976 - let admin choose the default target click action by @​Eugeny in #​1983
• Little/max api token duration by @​SteezyCougar in #​1946
• fixed #​1945 - make SCP recording optional by @​Eugeny in #​1978
• fixed #​1948 - add return_url_domain SSO config option by @​Eugeny in #​1971

Fixes

• Make admin UI search filtering case-insensitive across list and log endpoints by @​Copilot in #​1922
• Ipv6 hostname parse fix by @​Eugeny in #​1936
• Small cleanups by @​LarsSven in #​1939
• fix: parse forwarded header lists by @​immanuwell in #​1944
• Fix Svelte sourcemap line drift by disabling preprocess-level sourcemap emission by @​Copilot in #​1959
• fix: display security key and browser auth URL in SSH terminal (#​1960) by @​xTamasu in #​1970

New Contributors

• @​immanuwell made their first contribution in #​1944
• @​xTamasu made their first contribution in #​1970

Full Changelog: warp-tech/warpgate@v0.23.4...v0.24.0

v0.23.4

Compare Source

Fixes

• Fix #​1558 - get username for API token by @​tieb62 in #​1899
• Helm : Roll deployment when config or referenced secrets change by @​plopoyop in #​1898
• fixed #​1903 - ensure usernames are unique by @​Eugeny in #​1911
• read request Host header explicitly by @​Eugeny in #​1912

New Contributors

• @​tieb62 made their first contribution in #​1899
• @​plopoyop made their first contribution in #​1898

Full Changelog: warp-tech/warpgate@v0.23.3...v0.23.4

What's Changed

• Bump github/codeql-action from 4.35.2 to 4.35.4 by @​dependabot[bot] in #​1907
• Bump axios from 1.15.0 to 1.16.0 in /warpgate-web by @​dependabot[bot] in #​1905
• Bump ip-address and socks in /warpgate-web by @​dependabot[bot] in #​1904
• Fix #​1558 - get username for API token by @​tieb62 in #​1899
• Helm : Roll deployment when config or referenced secrets change by @​plopoyop in #​1898
• add tieb62 as a contributor for code by @​allcontributors[bot] in #​1909
• fixed #​1903 - ensure usernames are unique by @​Eugeny in #​1911
• read request Host header explicitly by @​Eugeny in #​1912

New Contributors

• @​tieb62 made their first contribution in #​1899
• @​plopoyop made their first contribution in #​1898

Full Changelog: warp-tech/warpgate@v0.23.3...v0.23.4

What's Changed

• Bump github/codeql-action from 4.35.2 to 4.35.4 by @​dependabot[bot] in #​1907
• Bump axios from 1.15.0 to 1.16.0 in /warpgate-web by @​dependabot[bot] in #​1905
• Bump ip-address and socks in /warpgate-web by @​dependabot[bot] in #​1904
• Fix #​1558 - get username for API token by @​tieb62 in #​1899
• Helm : Roll deployment when config or referenced secrets change by @​plopoyop in #​1898
• add tieb62 as a contributor for code by @​allcontributors[bot] in #​1909
• fixed #​1903 - ensure usernames are unique by @​Eugeny in #​1911
• read request Host header explicitly by @​Eugeny in #​1912

New Contributors

• @​tieb62 made their first contribution in #​1899
• @​plopoyop made their first contribution in #​1898

Full Changelog: warp-tech/warpgate@v0.23.3...v0.23.4

v0.23.3

Compare Source

Security fixes

CVE-2026-44347

• Verify SSO state parameter in #​1891

This vulnerability allowed an authorized Warpgate user A to share their SSO return link with another authorized Warpgate user B, potentially misleading B into getting logged in as A and subsequently sharing confidential information through user A's session.

Fixes

• fix #​1883 - re-normalize options.auth field for database targets by @​Eugeny in #​1892

Full Changelog: warp-tech/warpgate@v0.23.2...v0.23.3

What's Changed

• Verify state parameter by @​Eugeny in #​1891
• fix #​1883 - re-normalize options.auth field for database targets by @​Eugeny in #​1892

Full Changelog: warp-tech/warpgate@v0.23.2...v0.23.3

v0.23.2

Compare Source

Fixes

• fix #​1854 - PG timestamp types by @​Eugeny in #​1877

Full Changelog: warp-tech/warpgate@v0.23.1...v0.23.2

What's Changed

• Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @​dependabot[bot] in #​1867
• fix #​1854 - PG timestamp types by @​Eugeny in #​1877
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​1870

Full Changelog: warp-tech/warpgate@v0.23.1...v0.23.2

What's Changed

• Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @​dependabot[bot] in #​1867
• fix #​1854 - PG timestamp types by @​Eugeny in #​1877
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​1870

Full Changelog: warp-tech/warpgate@v0.23.1...v0.23.2

v0.23.1

Compare Source

Security fixes

GHSA-f5v4-2wr6-hqmg

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition on a Warpgate instance if keyboard-interactive authentication is enabled. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to Warpgate to be killed by the OOM killer.

v0.23.0

Compare Source

Changes

• #​1499 - admin roles in #​1783

  • New "Admin roles" let you grant users granular permisssions to the admin UI, for example to manage targets/users/roles/tickets. These are separate from the existing "Access roles".
  • Migration notes:
    • The admin UI is no longer its own "target" but rather a link on the top of the Warpgate landing page
    • Any user with an admin role assigned to them is now able to access the admin UI - with the corresponding restrictions
    • Existing users that are assigned to the warpgate:admin role will have a warpgate:admin superuser admin role assigned to them, so that there is no change in access after the update.
    • You can delete the old warpgate:admin access role if you have never used it for anything other than admin UI access.

• Added support for disabling the injected menu by @​LarsSven in #​1852

  • The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to /@​warpgate to switch targets.

• AWS IAM auth in #​1859

  • Experimental support for AWS IAM role authentication for SSH (EC2), EKS (Kubernetes) and MySQL and Postgres (RDS) targets.

• Automatically generate client certificate when using kubernetes targets by @​LarsSven in #​1795

  • The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured kubeconfig file for the user, including the credentials.

• Rich audit logs in #​1832

  • Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new audit_retention config option controls a separate retention period for these log entries (12 months default).

• feat: add user role assignment expiry and history tracking by @​mrmm in #​1816

  • The new "edit" icon next to an active role assignment lets you add an expiry date.

• Add support for allowed_ip_range for users by @​LarsSven in #​1846

• fixed #​1497 - separate external host settings per protocol in #​1824

• Polish some Kubernetes UI elements by @​LarsSven in #​1770

• Extend target search to include descriptions. Closes #​1784 by @​cvhariharan in #​1791

• feat: Add HTTPRoute template to Helm chart by @​solidassassin in #​1756

Fixes

• fixed #​1087 - detect port knocking in #​1862
• fix(http): prioritize ?warpgate-target= query param over host-based domain binding by @​aav in #​1868
• fixed #​1835 - support kubectl logs and portforward in #​1875
• fix(ui): resolve config page layout regression caused by flex on main by @​mrmm in #​1851
• streamline x-forwarded header checks in #​1858
• Use constant time comparison for admin tokens by @​LarsSven in #​1853
• perf(ui): improve admin log page with virtualization, buffer cap, and calmer polling by @​pandeysambhi in #​1838
• Send messages to SSH terminal synchronously by @​LarsSven in #​1830
• update Ticket model to use ID relations to user and target in #​1839
• improvements(helm chart): fix setup job command line argument parsing failure due to trailing backslash and other improvements by @​SachinMaharana in #​1819
• fixed #​1483 - apply SSH timeout settings to the SSH client as well in #​1813
• #​1414 - parse warpgate_roles claim from the token itself if present in #​1811
• fixed #​1785 - log queries fail on PostgreSQL in #​1807
• Google sso role mapping fix by @​SteezyCougar in #​1712
• Warpgate should use subdomain if subdomain binding is enabled by @​SteezyCougar in #​1777

Misc

• OIDC integration tests in #​1766
• ci: add Helm chart publish workflow by @​SachinMaharana in #​1794
• Dependency bumps & time crate migration in #​1840
• Add database migration compatibility tests for PostgreSQL and MySQL by @​Copilot in #​1863

New Contributors

• @​cvhariharan made their first contribution in #​1791
• @​solidassassin made their first contribution in #​1756
• @​SachinMaharana made their first contribution in #​1794
• @​pandeysambhi made their first contribution in #​1838
• @​aav made their first contribution in #​1868

Full Changelog: warp-tech/warpgate@v0.22.1...v0.23.0

v0.21.1

Compare Source

Fixes

• #​1755 fixed SSO login in #​1762

Full Changelog: warp-tech/warpgate@v0.21.0...v0.21.1

v0.21.0

Compare Source

Kubernetes support

This release adds experimental support for Kubernetes targets.

Warpgate will proxy and record Kubernetes API protocol as well as attach/exec sessions.

Both token and certificate authentication is supported both between Warpgate and Kubernetes and Warpgate and the user, as well as web-based 2FA.

There is now an option to issue and revoke certificate credentials for users (currently for Kubernetes only).

Notes:

• Warpgate API tokens can be used on the client to authenticate against Kubernetes targets
• When using browser-based 2FA, there is no way for us to communicate the prompt to the user, so they need to log into the Warpgate UI separately to see it.

Changes

• Kubernetes target support - #​1530
  • Experimental support for Kubernetes targets, with support for recordings, REST and Websocket Kubernetes APIs, kubectl and third-party clients
• fixed #​1664 - offer API at an alternative /_warpgate/ URL - #​1737
  • This allows using an alternative _warpgate return URL for Azure OIDC, which does not allow the @ character.
• Allow for minimizing the password login UI by @​LarsSven in #​1750
  • For SSO-first environments, this allows hiding the password login option by default

Full Changelog: warp-tech/warpgate@v0.20.2...v0.21.0

v0.20.2

Compare Source

Fixes

• #​1678 downgrade Linux build image for older glibc compatibility
• Fixed LDAP query compatibility with lldap

v0.20.1

Compare Source

v0.20.0

Compare Source

Changes

• feat(ssh): add configurable client authentication methods by @​liebermantodd in #​1637
• Improve logging/messaging around SSH target authentication failure by @​LarsSven in #​1677
• feat(cli): add support for setting config path through env by @​justinforlenza in #​1650

Fixes

• fix: modify GEX parameters in SSH key exchange configuration so that it uses 2048 bits by @​joseluisgonzalezca in #​1659
• fix: generate SSO login return URL based on request host by @​joseluisgonzalezca in #​1661
• fixed LDAP server attribute saving by @​Eugeny in #​1662
• Correctly naturally sort all relevant lists in the UI by @​LarsSven in #​1656
• Correct PostreSQL connection string & Allow targets to customize default database name in connection examples by @​SteezyCougar in #​1577

New Contributors

• @​justinforlenza made their first contribution in #​1650
• @​liebermantodd made their first contribution in #​1637

Full Changelog: warp-tech/warpgate@v0.19.1...v0.20.0

v0.19.1

Compare Source

Fixes

• Undo API-incompatible TlsMode change by @​LarsSven in #​1648
• fixed #​1647 - SSH keys admin UI page not working

Full Changelog: warp-tech/warpgate@v0.19.0...v0.19.1

v0.19.0

Compare Source

Changes

• Experimental LDAP user sync by @​Eugeny in #​1603
• Create the admin user by default even if unattended-setup not called by @​MohammedNoureldin in #​1620
• Add SCP example command to SSH targets by @​LarsSven in #​1612
• Add JSON log output format for easier log processing by @​mrmm in #​1609
• fixed #​974 - make securing files optional by @​Eugeny in #​1636

Fixes

• remove dependency on the deprecated rustls-pemfile by @​Eugeny in #​1615
• fixed #​1456 - added a clickable button to submit the OTP by @​Eugeny in #​1614
• Fix cross-domain cookie handling and domain rebinding by @​SteezyCougar in #​1553
• fixed #​1632 - natural sort for targets by @​Eugeny in #​1645

New Contributors

• @​MohammedNoureldin made their first contribution in #​1620
• @​mrmm made their first contribution in #​1609

Full Changelog: warp-tech/warpgate@v0.18.0...v0.19.0

v0.18.0

Compare Source

Changes

• Add target groups by @​alairock in #​1518
• Add create-user CLI command by @​LarsSven in #​1549
• Add configurable idle timeout for PostgreSQL targets by @​SteezyCougar in #​1565

Fixes

• Use warpgate.yaml for Container Healthcheck by @​micha-k in #​1539
• Clean up ssh key generation and loading by @​LarsSven in #​1544

New Contributors

• @​micha-k made their first contribution in #​1539
• @​alairock made their first contribution in #​1518

Full Changelog: warp-tech/warpgate@v0.17.0...v0.18.0

v0.17.0

Compare Source

Important changes

• Warpgate now automatically falls back to email if preferred_username is not available from an SSO provider when auto-creating new users - by @​SteezyCougar in #​1475

Features

• Added a Helm chart (beta) - by @​alice-dops in #​1502
• Added ML-KEM post-quantum key exchange by @​kruton in #​1527

Fixes

• SSH server doesnt offer ed25519 hostkey by @​fpfeifferik in #​1473
• Added diffie-hellman-group-exchange-sha256 to SSH key exchange list by @​joseluisgonzalezca in #​1493
• Canonicalize Oauth Redirect with cross domain session cookie by @​SteezyCougar in #​1476
• Spawn task immediately when accepting connection by @​kruton in #​1521
• Fixed --debug CLI option by @​kruton in #​1526

Docs

• Correct dependency install command by @​LarsSven in #​1506

New Contributors

• @​fpfeifferik made their first contribution in #​1473
• @​SteezyCougar made their first contribution in #​1475
• @​LarsSven made their first contribution in #​1506
• @​step-security-bot made their first contribution in #​1508
• @​kruton made their first contribution in #​1521

Full Changelog: warp-tech/warpgate@v0.16.0...v0.17.0

v0.16.0

Compare Source

Security fixes

• 3c003fc - fixed CVE-2025-54804
  • This vulnerability has allowed a malicious authenticated client or target server to trigger a Rust panic in Warpgate and potentially cause a service restart

Major changes

• Docker image : add healthcheck, linting and run as regular user by @​hugosxm in #​1433
  • The Docker image now runs under UID 1000 instead of 0. Depending on your setup, this might cause permission errors when trying to access the Warpgate data files, you might have to chmod them. Run Docker with --uid 0 to revert to the old, less safe behaviour.
• Added bandwidth limiting support in #​1443
  • You can set bandwidth limits globally, per user and per target - works for SSH, MySQL and Postgres targets.

Changes

• Warpgate now sets TCP_NODELAY for better performance - in #​1447 and by @​tom-90 in #​1449

Fixes

• fd6607b - fix channels losing unflushed data when closing
• 4d5ebe4 - fix SCP hangups
• 05235d9 - fixed incorrect relative path resolution in setup
• 5a4b295 - fixed #​1424 - OOB UI fails with repeating characters
• version attribute is obsolete by @​ulab in #​1435
• 8ad6972 - fixed #​1442 - unnecessary get_info auth restrictions

New Contributors

• @​hugosxm made their first contribution in #​1433
• @​ulab made their first contribution in #​1435
• @​tom-90 made their first contribution in #​1449

Full Changelog: warp-tech/warpgate@v0.15.0...v0.16.0

v0.15.0

Compare Source

Features

• fixed #​1104 - SNI support in #​1402 - see https://warpgate.null.page/sni/
• fixed #​1220 - direct-streamlocal (local UNIX socket forwarding) support in 103a480
• fixed #​1368 - correctly generate version number in docker in #​1372
• fixed #​954 - enable gzip support for http targets in 9e144f8
• fixed #​1367 - replace Swagger with Stoplight Elements in the API playground and add a note about token header in 1df9b45

Fixes

• fixed #​1381 - skip password auth in postgres if not required in #​1383
• fix(panel): fix user profile link by @​joseluisgonzalezca in #​1384
• feat(http): support for insecured websocket connections if TLS Verifyflag is disabled by @​joseluisgonzalezca in #​1385
• fix(logs): normalize logs timestamp format with fixed sub-second digits by @​joseluisgonzalezca in #​1387
• fix(auth): skip web approval auth method only if there are other authentication methods available by @​joseluisgonzalezca in #​1390
• fixed #​1396 - fixed API token auth for getAllTargets API in #​1397
• fixed #​1395 - preselect current user in access instructions modal by @​Eugeny in #​1405
• fixed #​1404 - SSO user autocreation not working with Entra ID by @​Eugeny in #​1406
• fixed #​1411 - duplicate Host header sent to HTTP/2 targets by @​Eugeny in #​1412

New Contributors

• @​joseluisgonzalezca made their first contribution in #​1384

Full Changelog: warp-tech/warpgate@v0.14.1...v0.15.0

v0.14.1

Compare Source

Fixes

• c0de2f0: fixed #​1366 - API crash

v0.14.0

Compare Source

Major changes

• 863af5e: #​1323 - In-browser auth (2FA/SSO) support for PostgreSQL (#​1338) #​1338
• 53971dc: #​1334 New in-browser auth requests will automatically show up on the Warpgate homepage if the user is logged in (#​1335) #​1335
• ec98c3d: Option to check and accepting SSH target's host keys from the admin UI (#​1307) #​1307

Changes

• Deleting an SSH target will now auto-remove its known hosts entry (#​1300) #​1300 (Chinmay Pai)
• Prefer SSO provider buttons will prefer label over name in the login UI (Eugene)
• 4533401: Warpgate will now forward HTTP basic auth credentials (if present) from an HTTP target's URL correctly (#​1343) #​1343
• cea7acc: #​1281 - Added description fields for most objects (#​1294) #​1294
• 9841421: #​1281 - List role members and targets in the UI (#​1295) #​1295
• 6b22399: Added SBOMs to release artifacts (#​1289) #​1289
• 74ca553: Add "getting started" hints to the UI (#​1344) #​1344

Fixes

• Fixed Warpgate attempting RSA key auth against a target too many times, exhausting the OpenSSH limits (#​1274) #​1274 (Eugene)
• 95dce41: Fix SSH Client to respond to keyboard-interactive when target has optional 2FA (#​1273) (samtoxie) #​1273
• 51c8937: fixed frontend crash in list pagination
• 5d3a8ac: Force the config file format to YAML (#​1299) (Mice7R) #​1299
• 4b74303: #​1271 - modals are invisible with prefers-reduced-motion
• 0a3e444: fixed #​1285 - unable to add public keys via credentials self-service
• 26a9c99: fixed #​1326 - UI allowing duplicate target names (#​1328) #​1328
• d465586: fixed enter key handling in the "create target" form
• b4076ef: fixed #​1320 - JDBC based Postgres clients not connecting
• 87b409b: SQL content of prepared Postgres queries were not logged
• 5ee29b9: fixed #​1337 - automatically strip the public key comment when setting via the API
• 2381f55: fixed #​972 - SSH server not offering keyboard-interactive when only OOB or SSO auth is enabled for a user
• 9bc1c9d: fixed #​1346 - changing own password does not remove existing passwors
• 33803f1: fixed #​1336 - correctly parse ECC certificates - no longer handle incorrect PEM header
• 331af97: fixed #​1356 - generate config schema (#​1357) #​1357

v0.13.3

Compare Source

Changes

• 306138f: reenabled HTTP/2 support as client (both for HTTP targets and OIDC)

v0.13.2

Compare Source

Changes

• ee05440: pasting a public key will automatically fill out the label field now if the key has a comment

Fixes

• 5b050e5: fixed #​1264 - config file permission error in kubernetes (#​1265) (hashfunc) #​1265
• 91c4a5a, 1772601: fixed #​1263 - errors when working with public key creds on Postgres
• 549ddba, 93609ae: fixed #​1270 - public key values getting truncated on MySQL

v0.13.1

Compare Source

Changes

• 5dfa025: added an option to trust unknown OIDC audiences (#​1254) (samtoxie) #​1254

Fixes

• 2e75b28: fixed #​1261 - reenable accidentally disabled Postgres TLS support

v0.13.0

Compare Source

Changes

• 409b382: UI facelift (#​1175)
• 010534a: added support for user API tokens and an API playground (#​1191)
• 1dec4c9: added a title field for public keys (#​1171) (Mohammad Al Shakoush)
• 59884fb: added "last used" and "date created" fields for public keys (#​1182) (Mohammad Al Shakoush)
• d51d882: fixed #​1189 - updated default config to listen on IPv6 as well
• b76872f: added an option to auto-create SSO users #​1245
• e203688: implemented agent forwarding over SSH (samtoxie) #​1249
• 55dcd11: added streamlocal-forward support (remote UNIX socket forwarding) #​1243

Fixes

• 40e49a2: Fixed SSO not respecting the OS' trusted TLS CAs (Thibaud Lepretre) #​1233
• 2abe104: fixed #​1234 - rustls panic in tokio-tungstenite
• 2cdf8ba: bump vulnerable deps (#​1241) #​1241
• 8d53f7b: bumped russh for the mlock() fix
• 7e15422: fixed #​1258 - hide the version info until logged in (Eugene)
• 6ade841: correctly bind to both ipv4 and ipv6 when [::] is set as listen endpoint (#​1193)
• create and canonicalize relative data_path (#​1180) (willow)
• e89bc03: fixed [#​1218]

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.