Update Helm release cert-manager to v1.20.3 #737

Merged

AverageMarcus merged 1 commits from renovate/cert-manager-1.x into master 2026-06-26 05:05:55 +00:00

Conversation 0 Commits 1 Files Changed 1

+1 -1

renovate commented 2026-06-26 03:12:52 +00:00

Collaborator

Copy Link

Copy Source

This PR contains the following updates:

Package	Update	Change
cert-manager (source)	patch	v1.20.2 → v1.20.3

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

• Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#​8940, @​wallrj-cyberark)
• Remove issuer owner reference from challenges blocking challenge garbage collection (#​8759, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go to 1.26.3, other deps to fix several govulncheck issues (#​8789, @​SgtCoDFish)
• Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#​8926, @​wallrj-cyberark)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://cert-manager.io) ([source](https://github.com/cert-manager/cert-manager)) | patch | `v1.20.2` → `v1.20.3` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.20.3`](https://github.com/cert-manager/cert-manager/releases/tag/v1.20.3) [Compare Source](https://github.com/cert-manager/cert-manager/compare/v1.20.2...v1.20.3) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This patch release fixes a security issue ([`GHSA-8rvj-mm4h-c258`](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-8rvj-mm4h-c258), HIGH) where the default `cert-manager-edit` aggregate ClusterRole granted namespace users permission to create ACME `Challenge` and `Order` resources directly. A user who could create a `Challenge` referencing a `ClusterIssuer` could supply attacker-controlled solver configuration while cert-manager loaded credentials from the `ClusterIssuer`'s namespace, bypassing Issuer solver selectors (`dnsZones`, `dnsNames`, `matchLabels`). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint. This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs. All users should upgrade. > \[!WARNING] > **Potentially breaking change:** The `cert-manager-edit` aggregate ClusterRole no longer grants `create` for `challenges.acme.cert-manager.io` or `create`, `patch`, `update` for `orders.acme.cert-manager.io`. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly. #### Changes by Kind ##### Bug or Regression - Security (HIGH): Remove Challenge `create` and Order `create`, `patch`, `update` verbs from the `cert-manager-edit` aggregate ClusterRole ([`GHSA-8rvj-mm4h-c258`](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-8rvj-mm4h-c258)). ([#&#8203;8940](https://github.com/cert-manager/cert-manager/issues/8940), [@&#8203;wallrj-cyberark](https://github.com/wallrj-cyberark)) - Remove issuer owner reference from challenges blocking challenge garbage collection ([#&#8203;8759](https://github.com/cert-manager/cert-manager/issues/8759), [@&#8203;cert-manager-bot](https://github.com/cert-manager-bot)) ##### Other (Cleanup or Flake) - Bump go to 1.26.3, other deps to fix several govulncheck issues ([#&#8203;8789](https://github.com/cert-manager/cert-manager/issues/8789), [@&#8203;SgtCoDFish](https://github.com/SgtCoDFish)) - Update Go to `v1.26.4` to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 ([#&#8203;8926](https://github.com/cert-manager/cert-manager/issues/8926), [@&#8203;wallrj-cyberark](https://github.com/wallrj-cyberark)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDMuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0My4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

renovate added 1 commit 2026-06-26 03:12:53 +00:00

Update Helm release cert-manager to v1.20.3 0079e3e1e9

AverageMarcus merged commit 8106e9367c into master 2026-06-26 05:05:55 +00:00

AverageMarcus deleted branch renovate/cert-manager-1.x 2026-06-26 05:05:56 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

renovate (Renovate Bot) AverageMarcus (Marcus Noble)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: AverageMarcus/cluster.fun#737