# May 2026

## Oracle KMS Python Storage v1.1.0

> **Breaking changes**
>
> **Python minimum version:** Raised from 3.6 to 3.9. Pin to `keeper-secrets-manager-storage-oracle-kms<1.1.0` to stay on Python 3.6–3.8.
>
> **Core SDK minimum version:** Raised from 16.6.6 to 17.2.1.
>
> **KSM-955 — decrypt\_config() autosave default:** Changed from `True` to `False`. Calling `decrypt_config()` without arguments no longer writes plaintext credentials to disk. Pass `autosave=True` explicitly to preserve the previous behavior.

* **KSM-954:** Fixed AES-GCM nonce from 128-bit to 96-bit per NIST SP 800-38D. Existing encrypted blobs remain readable.
* **KSM-954:** Replaced MD5 with SHA-256 for config change detection.
* **KSM-950:** Initialization with a service account missing required KMS permissions no longer silently proceeds with the config file left unencrypted on disk.
* **KSM-951:** KMS errors no longer silently swallowed. Network failures and permission denials now propagate as exceptions.
* **KSM-952:** `delete_all()` no longer leaves the credential file on disk when KMS is unavailable.
* **KSM-953:** `set()` no longer silently swallows `PermissionError` on read-only config files.
* **KSM-955:** `read_storage()` now returns a copy of the config dict instead of a live reference.
* **KSM-956:** `OracleKeyValueStorage` is now thread-safe for concurrent reads and writes.
* **KSM-957:** `load_config()` no longer leaves `self.config = None` after bootstrapping from an empty config. Subsequent `get`/`set`/`delete` calls no longer crash with `TypeError`.

**Security updates**

* **KSM-834:** `cryptography` upgraded to ≥46.0.5, fixing CVE-2026-26007 (ECDH subgroup attack on SECT curves, HIGH CVSS 8.2).
* `urllib3` upgraded to 2.6.3, `requests` to 2.32.4.

**Links:**

* [PyPI package](https://pypi.org/project/keeper-secrets-manager-storage-oracle-kms/)
* See [Oracle KMS Documentation](https://docs.keeper.io/keeperpam/secrets-manager/integrations/oracle-key-vault)

## Rust SDK 17.2.0

> **Breaking changes**
>
> * `get_folders()` no longer consumes the `SecretsManager` instance — the signature is now `&mut self`. If you added `.clone()` as a workaround, you can safely remove it.
> * `CustomPostFunction` is now thread-safe — the type alias is now `Arc<dyn Fn(...) + Send + Sync>`. Most call sites will compile without changes; if you're storing the type alias directly, wrap your function with `Arc::new(...)`.

**Bug Fixes**

* **KSM-886:** File and thumbnail downloads no longer fail inside async runtimes — resolved a "builder error" that occurred when downloads were called from within a tokio runtime.

**Security updates**

* **reqwest 0.12 → 0.13.3** (KSM-922): Resolves four `rustls-webpki` advisories; TLS backend migrated to `aws-lc-rs`, the required foundation for FIPS 140-3 support.
* **openssl 0.10.75 → 0.10.78:** Resolves CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681  (CVSS 9.1–9.8, Critical).&#x20;

**Links:**

* [Crates.io package](https://crates.io/crates/keeper-secrets-manager-core/17.2.0)
* [docs.rs](https://docs.rs/keeper-secrets-manager-core/17.2.0)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://newdocs.keeper.io/en/release-notes/enterprise/keeper-secrets-manager/2026/may-2026.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.