Upgrade urgency LOW: This is the first release candidate of Valkey 9.1.0, with new features, performance improvements, and bug fixes.

• Database-level access control by @dvkashapov (#2309)
• Move Lua scripting engine into a Valkey module by @rjd15372 (#2858)
• Support cross node consistency for SCAN commands through configurable DB hash seed by @sarthakaggarwal97 (#2608)
• Support automatic TLS reload by @yang-z-o (#3020)
• Support TLS authentication using SAN URI by @yang-z-o (#3078)
• Prevent invalid TLS certificates from being loaded by @yang-z-o (#2999)
• Failing to save the cluster config file will no longer exit the process by @enjoy-binbin (#1032)

• Makes CLUSTER KEYSLOT available in standalone mode by @stockholmux (#3040)
• Update HSETEX so that it always issue keyspace notifications after validation by @ranshid (#3001)
• Adds HGETDEL command by @roshkhatri (#2851)
• Support NX/XX flag in HSETEX command by @hanxizh9910 (#2668)
• New CLUSTERSCAN command for cluster-wide key scanning across nodes by @nmvk (#2934)
• New MSETEX command to set multiple keys with a shared expiration by @enjoy-binbin (#3121)
• CLUSTER SHARDS/CLUSTER SLOTS now include an availability-zone field by @bandalgomsu (#3156)

• Optimize zset memory usage by embedding element in skiplist by @chzhoo (#2508)
• Remove internal server object pointer overhead in small strings by @rainsupreme (#2516)
• Optimize skiplist query efficiency by embedding the skiplist header by @chzhoo (#2867)
• Improve performance during rehashing by @chzhoo (#3073)
• Optimize SREM/ZREM/HDEL to pause auto shrink when deleting multiple items by @enjoy-binbin (#3144)
• Abort and swap the tables if ht1 is very full during the hashtable shrink rehashing by @enjoy-binbin (#3175)
• Improve performance of copy avoidance when command reply tracking is disabled by @dvkashapov (#3086)
• Enable hardware clock by default by @dvkashapov (#3103)
• Improve COMMAND performance by caching responses by @ebarskiy (#2839)
• Add support for asynchronous freeing of keys on writable replicas by @Scut-Corgis (#2849)
• Faster XRANGE/XREVRANGE via stream range hot-path optimization by @nesty92 (#3002)
• Replicas can reuse the RDB file as AOF preamble after disk-based full sync by @RayaCoo (#1901)

• Add ValkeyModule_ClusterKeySlotC by @bandalgomsu (#2984)
• Add more client info flags to module API by @martinrvisser (#2868)
• Add prefix-aware ACL permission checks and new module API by @eifrah-aws (#2796)
• Support unsigned 64-bit numeric config values in module API by @artikell (#1546)

• Cumulative metrics for active I/O threads usage by @deepakrn (#2463)
• Cumulative metric for active main thread usage by @dvkashapov (#2931)
• Support whole cluster info for INFO command in cluster_info section by @soloestoy, @ranshid (#2876, #2964)
• Add remaining_repl_size field in CLUSTER GETSLOTMIGRATIONS output by @enjoy-binbin (#3135)
• Add logging helper function to print node's ip:port when nodename not explicitly set by @zhijun42 (#2777)
• Dual-channel-replication announces itself at replica-announce-ip if configured by @jdheyburn (#2846)
• Show replica dual-channel replication buffer memory in INFO MEMORY and MEMORY STATS by @enjoy-binbin (#2924)
• Add rdb_transmitted state to replica state in INFO by @enjoy-binbin (#2833)
• New INFO section for scripting engines by @rjd15372 (#2738)
• Adding json support for log-format config by @jbergstroem (#1791)
• Add server side TLS certificate expiry tracking and INFO telemetry by @YiwenZhang12 (#2913)
• Add option to use libbacktrace for backtraces in crash reports by @rainsupreme (#3034)

• Show RPS histogram in valkey-benchmark by @hanxizh9910 (#2471)
• Add --warmup and --duration parameters to valkey-benchmark by @rainsupreme (#2581)
• Lazy loading of RDMA libs in CLI/Benchmark when building as module by @Ada-Church-Closure (#3072)
• Add support for atomic slot migration to valkey-cli by @murphyjacob4 (#2755)
• Replace C++ fast_float dependency with pure C implementation (ffc) by @lemire (#3329)

• Strictly check CRLF when parsing querybuf by @enjoy-binbin (#2872)

• Adam Fowler @adam-fowler
• Aditya Teltia @AdityaTeltia
• Alina Liu @asagege
• Allen Samuels @allenss-amazon
• Alon Arenberg @alon-arenberg
• aradz44 @aradz44
• Arthur Lee @arthurkiller
• bandalgomsu @bandalgomsu
• Baswanth @baswanth09
• Benson-li @li-benson
• Binbin @enjoy-binbin
• Björn Svensson @bjosv
• bpint @bpint
• chzhoo @chzhoo
• cjx-zar @cjx-zar
• Daniil Kashapov @dvkashapov
• Deepak Nandihalli @deepakrn
• Diego Ciciani @diegociciani
• eifrah-aws @eifrah-aws
• Evgeny Barskiy @ebarskiy
• Gabi Ganam @gabiganam
• Gagan H R @gaganhr94
• Hanxi Zhang @hanxizh9910
• Harkrishn Patro @hpatro
• Harry Lin @harrylin98
• hieu2102 @hieu2102
• Jacob Murphy @murphyjacob4
• jiegang0219 @jiegang0219
• Jim Brunner @JimB123
• Johan Bergström @jbergstroem
• John @johnufida
• Joseph Heyburn @jdheyburn
• Katie Holly @Fusl
• Ken @otherscase
• korjeek @korjeek
• Kurt McKee @kurtmckee
• Kyle J. Davis @stockholmux
• Kyle Kim @kyle-yh-kim
• Leon Anavi @leon-anavi
• Madelyn Olson @madolson
• Mangat Singh Toor @immangat
• Marc Jakobi @mrcjkb
• martinrvisser @martinrvisser
• Marvin Rösch @marvinroesch
• Murad Shahmammadli @MuradSh
• NAM UK KIM @namuk2004
• Nikhil Manglore @Nikhil-Manglore
• Ouri Half @ouriamzn
• Patrik Hermansson @phermansson
• Ping Xie @PingXie
• Quanye Yang @Ada-Church-Closure
• Rain Valentine @rainsupreme
• Ran Shidlansik @ranshid
• Ricardo Dias @rjd15372
• Ritoban Dutta @ritoban23
• Roshan Khatri @roshkhatri
• ruihong123 @ruihong123
• Sachin Venkatesha Murthy @sachinvmurthy
• Sarthak Aggarwal @sarthakaggarwal97
• Satheesha CH Gowda @satheesha
• Seungmin Lee @sungming2
• Shinobu Nunotaba @Ada-Church-Closure
• Simon Baatz @gmbnomis
• skyfirelee @artikell
• Sourav Singh Rawat @frostzt
• stydxm @stydxm
• Ted Lyngmo @TedLyngmo
• Tony Wooster @twooster
• uriyage @uriyage
• Vadym Khoptynets @poiuj
• Venkat Pamulapati @ChiliPaneer
• Viktor Söderqvist @zuiderkwast
• Vitah Lin @vitahlin
• Vitali @VitalyAR
• withRiver @withRiver
• wxmzy88 @wxmzy88
• xbasel @xbasel
• Yair Gottdenker @yairgott
• Yana Molodetsky @yanamolo
• Yang Zhao @yang-z-o
• Yiwen Zhang @YiwenZhang12
• yzc-yzc @yzc-yzc
• zhaozhao.zz @soloestoy
• Zhijun Liao @zhijun42

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply
• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2026-27623) Reset request type after handling empty requests

• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
• Fix server assert on ACL LOAD when current user loses permission to channels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply

• Restrict ttl from being negative and avoid crash in import-mode (#2944)
• Fix chained replica crash when doing dual channel replication (#2983)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Fix crashing while MODULE UNLOAD when ACL rules reference a module command or subcommand (#3160)
• Fix server assert on ACL LOAD and resetchannels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply

• Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
• Fix chained replica crash when doing dual channel replication (#2983)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
• Fix server assert on ACL LOAD and resetchannels (#3182)
• Fix bug causing no response flush sometimes when IO threads are busy (#3205)

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message (https://github.com/valkey-io/valkey/pull/3249)
• (CVE-2025-67733) RESP Protocol Injection via Lua error_reply (https://github.com/valkey-io/valkey/pull/3249)

• Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
• Fix potential infinite loop in clusterNodeGetMaster (#2830)
• Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)

Upgrade urgency HIGH: There are critical bugs that may affect a subset of users.

• Avoid memory leak of new argv when HEXPIRE commands target only non-exiting fields (#2973)
• Fix HINCRBY and HINCRBYFLOAT to update volatile key tracking (#2974)
• Avoid empty hash object when HSETEX added no fields (#2998)
• Fix case-sensitive check for the FNX and FXX arguments in HSETEX (#3000)
• Prevent assertion in active expiration job after a hash with volatile fields is overwritten (#3003, #3007)
• Fix HRANDFIELD to return null response when no field could be found (#3022)
• Fix HEXPIRE to not delete items when validation rules fail and expiration is in the past (#3023, #3048)
• Fix how hash is handling overriding of expired fields overwrite (#3060)
• HSETEX - Always issue keyspace notifications after validation (#3001)
• Make zero a valid TTL for hash fields during import mode and data loading (#3006)
• Trigger prepareCommand on argc change in module command filters (#2945)
• Restrict TTL from being negative and avoid crash in import-mode (#2944)
• Fix chained replica crash when doing dual channel replication (#2983)
• Skip slot cache optimization for AOF client to prevent key duplication and data corruption (#3004)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Avoid duplicate calculations of network-bytes-out in slot stats with copy-avoidance (#3046)
• Fix XREAD returning error on empty stream with + ID (#2742)

• Track reply bytes in I/O threads if commandlog-reply-larger-than is -1 (#3086, #3126). This makes it possible to mitigate a performance regression in 9.0.1 caused by the bug fix #2652.

Full Changelog: https://github.com/valkey-io/valkey/compare/9.0.1...9.0.2

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

• Authenticate slot migration client on source node to internal user (#2785)
• Bug fix: reset io_last_written on c->buf resize to prevent stale pointers (#2786)
• Sentinel: fix regression requiring "+failover" ACL in failover path (#2780)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
• Send duplicate multi meet packet only for node which supports it in mixed clusters (#2840)
• Fix: LTRIM should not call signalModifiedKey when no elements are removed (#2787)
• Fix build on some 32-bit ARM by only using NEON on AArch64 (#2873)
• Fix deadlock in IO-thread shutdown during panic (#2898)
• Fix COMMANDLOG large-reply when using reply copy avoidance (#2652)
• Fix CLUSTER SLOTS crash when called from module timer callback (#2915)

Full Changelog: https://github.com/valkey-io/valkey/compare/9.0.0...9.0.1

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
• Send duplicate multi meet packet only for node which supports it (#2840)
• Fix loading AOF files from future Valkey versions (#2899)

Full Changelog: https://github.com/valkey-io/valkey/compare/8.1.4...8.1.5

Upgrade urgency LOW: This is the first release of Valkey 9.0 which includes stability, bug fixes, and incremental improvements over the third release candidate.

• HSETEX with FXX should not create an object if it does not exist (#2716)
• Fix crash when aborting a slot migration while child snapshot is active (#2721)
• Fix double MOVED reply on unblock at failover (#2734)
• Fix memory leak with CLIENT LIST/KILL duplicate filters (#2362)
• Fix incorrect accounting after completed atomic slot migration (#2749)
• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826, #2750)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)

Upgrade urgency LOW: This is the third release candidate of Valkey 9.0.0, focused on stability, bug fixes, and incremental improvements.

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

• Optimize skiplist random level generation logic (#2631)

• Redirect blocked clients after failover (#2329)
• Prevent exposure of importing keys on replicas during atomic slot migration (#2635)
• Add slot migration client flags and module context flags (#2639)
• Introduce SYNCSLOTS CAPA for forwards compatibility (#2688)

• Fix atomic slot migration snapshot never proceeding with hz 1 (#2636)
• Defrag if slab 1/8 full to fix defrag didn't stop issue (#2656)
• Fix module key memory usage accounting (#2661)
• Fix dual rdb channel connection error log (#2658)

• Implement a lolwut for version 9 (#2646)