5.18.0 Release Notes

Overview

Release 5.18.0 focuses on strengthening security and improving operational flexibility. This update addresses eight security vulnerabilities across multiple components, including critical fixes for BouncyCastle, MSSQL JDBC, and various cloud integration dependencies. Enterprise users will benefit from configurable AWS SSM execution timeouts for long-running jobs, enhanced Slack notifications with FreeMarker template support, and a fix for VMware datacenter attribute handling. Open source users gain a new beta feature for multiline job options, improved log filter capabilities for capturing multiple key-value pairs, and comprehensive API error handling. The release also includes extensive OpenAPI documentation enhancements across 15 endpoints, making it easier to integrate with Rundeck programmatically.

Terraform Provider Milestone: Alongside this release, we're excited to announce version 1.0.0 of the Rundeck Terraform Provider—a complete modernization that eliminates all known plan drift issues and establishes a stable foundation for infrastructure-as-code workflows.

Terraform Provider 1.0.0 Release

We're thrilled to announce the 1.0.0 release of the Rundeck Terraform Provider—a major modernization that represents years of community feedback and engineering effort. This release eliminates all known plan drift issues and provides a rock-solid foundation for managing Rundeck infrastructure as code.

What's New

No More Plan Drift: The provider has been completely rebuilt using the Terraform Plugin Framework with JSON-only API interactions, eliminating the schema inconsistencies and drift issues that plagued earlier versions. Your terraform plan will finally show "No changes" when nothing has actually changed.

Modern Architecture:

Single provider implementation (removed SDK v2 and plugin multiplexer)
Native HCL nested blocks for cleaner, more intuitive configurations
Comprehensive test coverage with 38 passing acceptance tests (100% pass rate)

Enhanced Job Management:

UUID support for job references (use immutable UUIDs instead of names)
Complete notification support with proper webhook, email, and plugin configurations
Fixed execution lifecycle plugins (critical fix—previous versions silently ignored these)
Automatic schedule normalization and option enforcement inference
Full support for orchestrators, log limits, and global log filters

Runner Management Improvements:

Semantic equality for tags (no more drift from Rundeck's tag normalization)
Enhanced error messages with API response details

Better Developer Experience:

Username/password authentication support
Improved error messages for troubleshooting
Comprehensive documentation with troubleshooting guides

Breaking Changes

This is a major release with important compatibility requirements:

Minimum Rundeck version: 5.0.0 (API v46+)
Minimum Go version: 1.24+
All XML API interactions have been removed (JSON only)

Getting Started

The 1.0.0 release will be available in the Terraform Registry today. Existing Terraform configurations should work without modification, though you may need to reorder notification blocks alphabetically and explicitly set require_predefined_choice = true for options with value choices.

Resources:

Special thanks to the community members who reported issues, tested pre-release versions, and contributed to making this release possible!

Runbook Automation Updates

Bouncy Castle 1.79 for CVE-2025-8916

SSM cannot run job for more than 1 hour

Adds configurable SSM execution timeout functionality to allow AWS SSM jobs to run beyond the default 1-hour limit. The changes introduce a new ssm-execution-timeout configuration property that defaults to 3600 seconds (1 hour) but can be adjusted as needed.

Update nimbusJose for CVE-2025-53864

Set sleep time on sftp plugin

Adds a configurable sleep timeout property to the File Transfer plugin, allowing users to customize the wait time after file transfer completion instead of using the hardcoded 2000ms value. There is a new sleepTimeout integer property with a default value of 2000ms.

Fixes datacenter value in Vmware resource model

This PR fixes the datacenter value retrieval in the VMware resource model by replacing hardcoded parent chain navigation (parent?.getParent()?.getName()) with a dynamic traversal approach that handles VMs at any folder depth.

Before this fix, any nodes nested more than 2 folders would exhibit the wrong value for the attribute datacenter.

Ansible Plugin Improvements

Update to the way the Ansible plugin handles ad-hoc command execution, specifically replacing the deprecated -t argument with environment variables for callback configuration, and modernizing inventory argument handling. It also adds and improves tests to ensure these changes work as intended and that user-provided environment variables are respected.

Slack Notification Plugin now supports Templates

Refactoring and enhancement of the SlackNotificationPlugin to improve template handling, logging, and code robustness. The main changes include support for external FreeMarker templates, safer and more informative logging, and improved per-notification context management.

Fix CVE-2025-55163: Upgrade google-cloud-container to 2.82.0

This mitigates CVE-2025-55163 (CVSS 8.7, CWE-770) by upgrading the google-cloud-container dependency from 2.54.0 to 2.82.0 in both the kubernetes-clusters and gcp-plugins modules.

Fix 500 error on duplicate user creation - return 409 Conflict with proper error message

Fixed API error handling for duplicate user creation and added complete OpenAPI documentation. The user creation API endpoint (PUT /api/44/secure/users/create) now properly handles duplicate username errors. Previously, attempting to create a user with an existing username returned an HTTP 500 Internal Server Error with an HTML error page. Now it correctly returns HTTP 409 Conflict with a clean JSON error message: {"err": "User with username 'xyz' already exists"}. Additionally, the endpoint now includes comprehensive OpenAPI documentation with detailed request body schemas (including the username, pwd, and roles fields), multiple JSON examples for basic and complete user creation, and documentation for all response codes (201, 400, 403, 409). This fix improves API reliability and makes it easier for API consumers to handle duplicate user scenarios programmatically.

Fix CVE-2025-64756 in glob package

Fixed security vulnerability CVE-2025-64756 in the glob package by upgrading to version 10.5.0, which patches a command injection vulnerability in the glob CLI.

Mitigate CVE-2025-12383 in jersey-client dependency

This PR mitigates CVE-2025-12383 (CVSS 9.4 Critical) in the jersey-client dependency used by the jira-plugins module.

Fix CVE-2025-8916 by updating dependencies and forcing BouncyCastle 1.79

Security Enhancement: Fixed CVE-2025-8916 (BouncyCastle vulnerability, CVSS 6.3) by updating OCI SDK to 3.21.0, Kubernetes client to 22.0.0, Spring Security RSA to 1.0.13, and globally forcing BouncyCastle to the patched version 1.79 across all affected components. This addresses "Allocation of Resources Without Limits or Throttling" vulnerabilities in 6 plugins: cloud-oraclecloud-healthcheck-plugin, kubernetes-clusters, rundeckpro-config, rundeckpro-security, runbook-automation-data-spi, and runbook-automation-utils.

Enhance OpenAPI documentation for Runner Management configuration endpoint

Improved OpenAPI specification documentation for the Runner Management configuration endpoint, providing clearer guidance for API consumers on how to configure automatic vs manual runner assignment for projects.

Update OCI SDK to 3.43.2 to address CVE-2024-30172

Updated Oracle Cloud Infrastructure (OCI) Java SDK to version 3.43.2 to address security vulnerability CVE-2024-30172. This update affects the Oracle Cloud plugins and Oracle Cloud Health Check plugin, improving the security posture of Oracle Cloud integrations.

Regenerate Credentials button is hidden for Ephemeral Runners

Fixed an issue where the Regenerate Credentials button was incorrectly hidden for Ephemeral Runners in the Runner Management interface, ensuring users can now properly regenerate credentials for ephemeral runner types.

Rundeck Open Source Product Updates

Fix CVE-2025-8916

Fix project export using CLI

This PR fixes an error in the project export functionality when using the Rundeck CLI by ensuring proper cleanup of resources even when file streaming fails.

Update Key Value Data with new Match Substrings checkbox

This fix addresses an issue where the Key Value Data log filter required regex patterns to match the entire log line due to its use of Matcher.matches(). Users found that patterns working in external tools failed in Rundeck because they didn't consume the full line. To resolve this, we've added a new matchSubstrings configuration property that allows users to toggle between full-line matching (using matches()) and substring matching (using find()). This provides the flexibility to use partial patterns like ^.*\.[A-Z]([0-9]+)\. without requiring them to match the entire line, while maintaining backward compatibility by defaulting to the original full-line matching behavior.

Update nimbusJose for CVE-2025-53864

Multiline Job Options (Beta)

Adds support for Multiline Job Options as a new choice in the "Option Type" dropdown. This allows users to create job options that can accept multi-line text input instead of being limited to single-line text fields.

Fix: Nodes page support for url param for filter input

Fixed an issue where the ?filter= URL parameter was not properly setting the node filter on the Nodes page, ensuring deep links with node filters now work as expected.

Fix the loading icon showing when a step already succeeded

Small bug fix: When a job is running, a step that doesn't have an output shows a loading icon no matter if the step has finished running.

Fixes missing no output message when looking at a step in the execution page

Added new ansible-plugin release version

Update to the way the Ansible plugin handles ad-hoc command execution, specifically replacing the deprecated -t argument with environment variables for callback configuration, and modernizing inventory argument handling. It also adds and improves tests to ensure these changes work as intended and that user-provided environment variables are respected.

Upgrade MSSQL JDBC to fix CVE-2025-59250

Upgraded the Microsoft SQL Server JDBC driver from version 9.4.0.jre8 to 13.2.1.jre8 in the runner-agent module to address security vulnerability CVE-2025-59250.

Fix OpenAPI spec for metrics endpoints

Fixed OpenAPI documentation for metrics endpoints to properly represent them as five separate endpoints (/metrics, /metrics/metrics, /metrics/ping, /metrics/threads, /metrics/healthcheck) instead of a single endpoint with an optional parameter. This ensures the OpenAPI Explorer generates correct curl commands and includes example responses for each endpoint, improving API discoverability and developer experience.

Allow KeyValueDataLogFilterPlugin to capture multiple values

Enhanced the Key Value Data Log Filter Plugin to support capturing multiple key-value pairs from a single log line through a new optional allowMultipleMatches property. This enables parsing of complex log formats containing multiple matches (e.g., "user=john role=admin session=abc123") while maintaining full backward compatibility with the default single-match behavior.

Fix CVE-2025-64756 in glob package

Fixed security vulnerability CVE-2025-64756 in the glob package by upgrading to version 10.5.0, which patches a command injection vulnerability in the glob CLI.

Update sshj to 0.40.0 for CVE-2025-8916

Updated sshj dependency in the git-plugin from 0.33.0 to 0.40.0 to address CVE-2025-8916, a security vulnerability in the SSH library.

Fix Firefox scroll behavior on execution output tab

Enhance OpenAPI documentation for 15 API endpoints

Enhanced OpenAPI specification documentation for 15 API endpoints across multiple controllers, improving clarity for API consumers and generated SDK quality. All changes are documentation-only and fully backward compatible with no breaking changes to existing API behavior.

Key improvements include clarification of query parameter usage for Ad Hoc endpoints, addition of previously undocumented POST method support for project export endpoints, and comprehensive documentation of 404 response scenarios for execution state, SCM status, and project file endpoints.

Greg Schueler (gschueler)
Carlos Eduardo (carlosrfranco)
Eduardo Baltra (edbaltra)
Forrest Evans (fdevans)
Jaime Tobar (jtobard)
Jake Cohen (jsboak)
Jaya Singh (jayas006)
Jesus Osuna (Jesus-Osuna-M)
José Vásquez (hiawvp)
Luis Toledo (ltamaster)
Rodrigo Navarro (ronaveva)
Sarah Martinelli Benedetti (smartinellibenedetti)