Update gateway.mdx

Author: JoanCamosTyk

developer-support/release-notes/gateway.mdx

@@ -44,13 +44,25 @@ For a comprehensive list of changes, please refer to the detailed [changelog](#C
 
 #### Breaking Changes
 
-There are no breaking changes in this release.
+**1. Query parameter handling in Tyk internal loops (tyk://) now requires explicit configuration**
+
+In Tyk Gateway version 5.8.14, we have fixed inconsistent query parameter behavior in URL rewrites using Tyk internal loops (`tyk://api-id/path`). Previously, query parameters added to the `rewrite_to` URL were silently dropped, while original request parameters were automatically preserved. This behavior was inconsistent with standard HTTP URL rewrites and prevented proper parameter transformation during internal API routing.
+
+**Impact**
+- Original request query parameters are no longer automatically forwarded through internal loops
+- Existing URL rewrite configurations may lose query parameters that were previously passed through automatically
+- APIs relying on automatic parameter forwarding will receive incomplete requests
+
+**Migration Required**
+Update your URL rewrite configurations to explicitly include any original query parameters you want to preserve. For example:
+- **Before:** `"rewrite_to": "tyk://api-123/endpoint"` (original params auto-forwarded)
+- **After:** `"rewrite_to": "tyk://api-123/endpoint?param1=$tyk_context.request_data.param1"`
 
 ##### Compatibility Matrix For Tyk Components
 
 | Gateway Version | Recommended Releases | Backwards Compatibility |
 |--------|-------------------|---- |
-| 5.12.0 | MDCB v2.10.0       | MDCB v2.10.0 |
+| 5.13.0 | MDCB v2.10.0       | MDCB v2.10.0 |
 |        | Operator v1.4.0   | Operator v0.17 |
 |        | Sync v2.1.7       | Sync v2.1.0 |
 |        | Helm Chart v5.2.0   | Helm all versions |
@@ -315,17 +327,34 @@ For example, if an API has `config_data: {"environment": "staging", "team": "pla
 
 <AccordionGroup>
 
-(TBR!!)<Accordion title='Reduced Log Noise for TLS Certificate Authentication Errors'>
-Resolved an issue where TLS certificate authentication errors were creating excessive log noise. Previously, when clients attempted to connect without required TLS certificates, the "Client TLS certificate is required" message was logged at WARNING level, causing unnecessary alert fatigue in production environments where this is often expected behavior. The Gateway now logs these authentication failures at INFO level, maintaining security visibility while reducing log noise for operators.
+<Accordion title='Fixed Log Level for Client TLS Certificate Requirement Errors'>
+Resolved an issue where "Client TLS certificate is required" errors were logged at WARNING level, creating unnecessary noise in production logs. Previously, these common client-side authentication failures generated excessive warning-level log entries that could trigger false alerts and obscure more critical issues. The Gateway now logs these authentication failures at INFO level, maintaining security visibility while reducing log noise and alert fatigue for operations teams.
+</Accordion>
+
+<Accordion title='Fixed malformed responses from Go plugins returning error status codes'>
+Resolved an issue where Go plugins returning error status codes caused duplicate `response.WriteHeader` calls, resulting in malformed response bodies that concatenated the original plugin response with additional Gateway error messages. 
+
+The Gateway now properly handles plugin-generated error responses without double-writing headers, ensuring response bodies contain only the original plugin content and eliminating superfluous WriteHeader warnings in logs.
+</Accordion>
+
+<Accordion title='Fixed query parameter handling in Tyk internal loops (tyk://)'>
+Resolved inconsistent query parameter handling in URL rewrites using Tyk internal loops (`tyk://api-id/path`). Previously, custom query parameters specified in the `rewrite_to` URL were silently dropped, while original request parameters were unexpectedly preserved.
+
+**What's Fixed:**
+- Query parameters explicitly added to `rewrite_to` URLs are now correctly passed to target APIs
+- Control parameters (`method`, `loop_limit`, `check_limits`) are properly consumed and removed
+- Behavior now matches standard HTTP URL rewrites for consistency
+
+Original request query parameters are no longer automatically forwarded through internal loops. Update your URL rewrite configurations to explicitly include any required parameters in the `rewrite_to` URL.
 </Accordion>
 
-<Accordion title='!!Fixed Client mTLS Authentication Between Tyk Gateways'>
+<Accordion title='Fixed Client mTLS Authentication Between Tyk Gateways'>
 Resolved an issue where a Tyk Gateway acting as a client (using upstream mTLS) would fail to authenticate against another mTLS-protected Tyk Gateway or upstream server, resulting in `HTTP 403 Forbidden: "Client TLS certificate is required"` errors.
 
 The Gateway now reliably presents the configured upstream client certificate whenever requested by the target server, ensuring seamless mTLS communication between gateways and other upstream services.
 </Accordion>
 
-<Accordion title='!!Fixed Default Gateway TLS Version to TLS 1.3'>
+<Accordion title='Fixed Default Gateway TLS Version to TLS 1.3'>
 Resolved an issue where the Tyk Gateway default maximum TLS version was incorrectly set to TLS 1.2 instead of TLS 1.3.
 
 Tyk Gateway now follows Go's native TLS defaults (TLS 1.2 minimum, TLS 1.3 maximum), aligning with industry security standards. This maintains full backward compatibility for existing deployments that explicitly configure TLS versions.
@@ -335,24 +364,24 @@ To change the maximum TLS version, you must now explicitly set `TYK_GW_HTTPSERVE
 To change the minimum TLS version, you must now explicitly set `TYK_GW_HTTPSERVEROPTIONS_MINVERSION` for client-to-Gateway connections or `TYK_GW_PROXYSSLMINVERSION` for Gateway-to-upstream connections.
 </Accordion>
 
-<Accordion title='!!Fixed CORS Preflight Blocking by AllowList Middleware'>
+<Accordion title='Fixed CORS Preflight Blocking by AllowList Middleware'>
 Resolved an issue where CORS preflight OPTIONS requests were incorrectly blocked by the AllowList middleware when `options_passthrough` was disabled. Previously, when APIs had CORS enabled with Tyk handling OPTIONS requests internally (`options_passthrough: false`), preflight requests would fail AllowList validation because users typically don't explicitly define OPTIONS endpoints in their AllowList configurations, causing "Requested endpoint is forbidden" errors.
 
 The Tyk Gateway now properly recognizes CORS preflight requests and allows them to bypass AllowList middleware checks when Tyk is configured to handle OPTIONS internally, restoring the expected behavior where CORS preflight handling works automatically without requiring explicit OPTIONS endpoint definitions.
 </Accordion>
 
-Accordion title='!!Fixed Analytics Generation for OAS API Mock Endpoints'>
+Accordion title='Fixed Analytics Generation for OAS API Mock Endpoints'>
 Resolved an issue where OAS APIs with mock endpoints stopped generating analytics data. Previously, analytics were properly captured for mock responses in OAS APIs since the Mock Middleware executes at the end of the middleware chain, but this functionality was inadvertently broken while fixing an unrelated internal API proxying issue.
 
 Tyk Gateway now correctly generates analytics for OAS API mock endpoints while maintaining the existing behavior for Classic APIs, which intentionally do not generate analytics for mock endpoints, as it is documented.
 </Accordion>
 
-<Accordion title='!!Fixed OpenTelemetry Configuration File Settings Being Ignored'>
+<Accordion title='Fixed OpenTelemetry Configuration File Settings Being Ignored'>
 Resolved an issue where OpenTelemetry settings in the Gateway configuration file were not being applied. Previously, when users configured OpenTelemetry via the `opentelemetry` section in the Gateway config file (including `enabled`, `exporter`, and `endpoint` fields), these settings were ignored, and only environment variables like `TYK_GW_OPENTELEMETRY_ENABLED` would take effect. 
 Tyk Gateway now properly reads and applies OpenTelemetry configuration from the config file as documented.
 </Accordion>
 
-<Accordion title='!!Resolved issue with Gateway entering an unresponsive state during registration failures'>
+<Accordion title='Resolved issue with Gateway entering an unresponsive state during registration failures'>
 Fixed an issue where the Gateway would fail to load APIs and policies if the Dashboard database was temporarily unavailable during startup. The Gateway will now automatically retry loading configurations with exponential backoff until successful, restoring self-healing capabilities without requiring a manual restart.
 </Accordion>
 
@@ -380,6 +409,23 @@ Resolved an issue where the `tyk.gateway.apis.loaded` and `tyk.gateway.policies.
 
 </AccordionGroup>
 
+##### Security Fixes
+
+<AccordionGroup>
+
+<Accordion title='CVE fixed'>
+Addressed CVEs reported in dependent libraries, providing increased protection against security
+vulnerabilities, including, but not limited to:
+
+- <a href="https://cvereports.com/reports/GHSA-6G7G-W4F8-9C9X" target="_blank">GHSA-6g7g-w4f8-9c9x</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33186" target="_blank">CVE-2026-33186</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-15558" target="_blank">CVE-2025-15558</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39883" target="_blank">CVE-2026-39883</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39882" target="_blank">CVE-2026-39882</a>
+
+</Accordion>
+
+</AccordionGroup>
 
 ---