Ctrlk
HomepageSystem Status
For the complete documentation index, see llms.txt. This page is also available as Markdown.

May 2026

SDK and Integration Updates for May 2026

Oracle KMS Python Storage v1.1.0

Breaking changes

Python minimum version: Raised from 3.6 to 3.9. Pin to keeper-secrets-manager-storage-oracle-kms<1.1.0 to stay on Python 3.6–3.8.

Core SDK minimum version: Raised from 16.6.6 to 17.2.1.

KSM-955 — decrypt_config() autosave default: Changed from True to False. Calling decrypt_config() without arguments no longer writes plaintext credentials to disk. Pass autosave=True explicitly to preserve the previous behavior.

  • KSM-954: Fixed AES-GCM nonce from 128-bit to 96-bit per NIST SP 800-38D. Existing encrypted blobs remain readable.

  • KSM-954: Replaced MD5 with SHA-256 for config change detection.

  • KSM-950: Initialization with a service account missing required KMS permissions no longer silently proceeds with the config file left unencrypted on disk.

  • KSM-951: KMS errors no longer silently swallowed. Network failures and permission denials now propagate as exceptions.

  • KSM-952: delete_all() no longer leaves the credential file on disk when KMS is unavailable.

  • KSM-953: set() no longer silently swallows PermissionError on read-only config files.

  • KSM-955: read_storage() now returns a copy of the config dict instead of a live reference.

  • KSM-956: OracleKeyValueStorage is now thread-safe for concurrent reads and writes.

  • KSM-957: load_config() no longer leaves self.config = None after bootstrapping from an empty config. Subsequent get/set/delete calls no longer crash with TypeError.

Security updates

  • KSM-834: cryptography upgraded to ≥46.0.5, fixing CVE-2026-26007 (ECDH subgroup attack on SECT curves, HIGH CVSS 8.2).

  • urllib3 upgraded to 2.6.3, requests to 2.32.4.

Links:

GCP KMS Python Storage v1.1.0

Breaking changes

Python minimum version: Raised from 3.6 to 3.9. Pin to keeper-secrets-manager-storage-gcp-kms<1.1.0 to stay on Python 3.6–3.8.

Core SDK minimum version: Raised from 16.6.6 to 17.2.1.

KSM-944 — decrypt_config() autosave default: Changed from True to False. Calling decrypt_config() without arguments no longer writes plaintext credentials to disk. Pass autosave=True explicitly to preserve the previous behavior.

  • KSM-943: Fixed AES-GCM nonce from 128-bit to 96-bit per NIST SP 800-38D; existing encrypted blobs remain readable.

  • KSM-943: Replaced MD5 with SHA-256 for config change detection.

  • KSM-938: Initialization with a service account missing cloudkms.cryptoKeys.get no longer silently proceeds with the config file left unencrypted on disk.

  • KSM-939: KMS errors no longer silently swallowed. Network failures and permission denials now propagate as exceptions.

  • KSM-940: delete_all() no longer leaves the credential file on disk when KMS is unavailable.

  • KSM-941: set() no longer silently swallows PermissionError on read-only config files.

  • KSM-942: change_key() no longer returns True when re-encryption fails; state rolls back cleanly.

  • KSM-944: read_storage() now returns a copy of the config dict instead of a live reference.

  • KSM-945: Symmetric decrypt no longer fails when called with a versioned key URI. The GCP API requires the unversioned key name for symmetric operations.

  • KSM-946: GCPKeyValueStorage is now thread-safe for concurrent reads and writes.

Security updates

  • KSM-764: protobuf upgraded to ≥6.33.5, fixing CVE-2026-0994 (JSON recursion DoS, HIGH CVSS 8.2). google-cloud-kms upgraded to 3.13.0 for protobuf 6 compatibility.

  • KSM-833: cryptography upgraded to ≥46.0.5, fixing CVE-2026-26007 (ECDH subgroup attack on SECT curves, HIGH CVSS 8.2).

  • urllib3 upgraded to 2.6.3, requests to 2.32.4, pyasn1 to 0.6.2.

Links:

Rust SDK 17.2.0

Breaking changes

  • get_folders() no longer consumes the SecretsManager instance — the signature is now &mut self. If you added .clone() as a workaround, you can safely remove it.

  • CustomPostFunction is now thread-safe — the type alias is now Arc<dyn Fn(...) + Send + Sync>. Most call sites will compile without changes; if you're storing the type alias directly, wrap your function with Arc::new(...).

Bug Fixes

  • KSM-886: File and thumbnail downloads no longer fail inside async runtimes — resolved a "builder error" that occurred when downloads were called from within a tokio runtime.

Security updates

  • reqwest 0.12 → 0.13.3 (KSM-922): Resolves four rustls-webpki advisories; TLS backend migrated to aws-lc-rs, the required foundation for FIPS 140-3 support.

  • openssl 0.10.75 → 0.10.78: Resolves CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681 (CVSS 9.1–9.8, Critical).

Links:

PreviousPython SDK 17.3.0NextApril 2026

Last updated