Before Upgrading

See the CircleCI server 4.10 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.10.0

Updates

• Upgraded Nomad server to version 1.11.3, incorporating security fixes and performance improvements for job scheduling.
• Upgraded Nomad Autoscaler to 0.4.9, providing improved scaling control and reliability for VM auto-scaling.
• Increased Nomad server liveness probe tolerances to prevent unnecessary restarts during high-load periods while maintaining cluster health.
• Added automated liveness checks to GCP and AWS Nomad client machines that detect server IP changes and trigger automatic reconnection, eliminating silent job failures when the server is replaced.
• Migrated audit log functionality from a legacy service to the notifications service, streamlining maintenance and enabling S3 bucket export for audit logs.
• Updated machine image AMIs for AWS, GCP, and GovCloud regions to include latest security patches and system updates.
• Removed app. subdomain requirement for Circle Server UI access, simplifying deployment topology.
• Enabled gRPC client-side load balancing via headless Services. All internal gRPC paths now use Kubernetes Headless Service instead of ClusterIP, enabling proper client-side load balancing across replicas. This reduces hotspotting on large Server clusters.

New Features

• Added support for configurable SSH key algorithms (RSA, ECDSA, Ed25519) for deploy keys using the SSH_KEY_ALGORITHM environment variable, enabling FIPS 140-compliant environments and GovCloud deployments.
• It is now possible to delete Self-Hosted Runners resource classes directly in the Web UI, in the Runners inventory page. Customers can still do the same using CircleCI CLI.
• Added configuration options to customize CPU and memory resource requests and limits for internalized Nomad servers using nomad.server.resources.requests.cpu, nomad.server.resources.requests.memory, nomad.server.resources.limits.cpu, and nomad.server.resources.limits.memory values.
• Added Ubuntu 24.04 (ubuntu-2604) machine image support to EC2 image lists.
• RabbitMQ memory requests and limits are now exposed and configurable via your helm values.yaml.

Bug Fixes

• Fixed serial group deadlock when jobs have Unauthorized status by treating unauthorized as a terminal state for unlock job dependencies.
• Before, when users enabled the organization wide “Block all new work from starting for this organization” setting, it was still possible to bypass that when disabling the block at the project level using the “Block all new work from starting for this project” setting. This is now fixed and the organization level setting will not be bypassed anymore.
• Fixed runner resource class creation via the UI which was previously failing due to backend validation errors.
• Fixed NGINX AWS Certificate Manager configuration to ensure Load Balancer Controller ports match Service ports, resolving reconciliation failures.
• Fixed ‘project not found’ errors in workflow rerun handler to return proper NOT_FOUND status instead of UNKNOWN for deleted projects.
• Fixed job page UI jitter and step disclosure collapse during background updates, improving user experience when viewing running jobs.

CVE Fixes

• CVE-2026-39882 in OpenTelemetry OTLP HTTP exporter was addressed in build-agent service.
• CVE-2026-34986 in go-jose library was addressed in oidc-tasks-service, public-api-service services.
• CVE-2026-33816 in pgx PostgreSQL driver was addressed in oidc-tasks-service, machine-provisioner, distributor, contexts-service services.
• CVE-2026-33814 in golang.org/x/net library was addressed in execution-gateway, docker-provisioner, output, distributor services.
• CVE-2026-45022 in go-git library was addressed in build-agent service.
• CVE-2026-45109 in Next.js was addressed in web-ui-server-admin service.

Configuration Changes

• MongoDB 7.0 is the default database image shipped with CircleCI Server 4.10.0 and above. MongoDB 4.4 has reached end of life and is no longer receiving security patches or updates from MongoDB, Inc. Customers must upgrade to MongoDB 7.0 before upgrading to server 4.10. Please use our mongo 7 upgrade script to upgrade the mongoDB in your CircleCI Server instance to 7.0.
• Implemented hard limit of 100 retries per workflow to prevent abuse. This limit is automatically enforced and cannot be configured.
• The trigger_parameters field in the pipeline values has been deprecated in favour of pipeline VCS fields. Customers should upgrade their integrations to use the new VCS field structure for pipeline triggers.
• Migrated to OpenTelemetry collector; removed Telegraf collector. Updated related configuration and deployment templates.

New Components

• notifications

Deprecated Components

• audit-log-service