[TT-12238] docs: Tyk 5.8.14 release notes

developer-support/release-notes/dashboard.mdx

@@ -1280,6 +1280,130 @@ Fixed an issue where the `/apis/streams/{apiID}` endpoint was expecting a `Conte
 
 ## 5.8 Release Notes
 
+### 5.8.14 Release Notes 
+
+#### Release Date xx April 2026
+
+#### Release Highlights
+
+**JavaScript Unicode Regex Import**
+
+Fixed an issue where Unicode regular expressions in JavaScript middleware were not properly imported from OpenAPI specifications. This resolves validation and pattern-matching errors that could occur when working with international character sets in API definitions.
+
+**Dashboard Certificate Filtering**
+
+Resolved a bug in the Dashboard's certificate filter functionality for APIs, ensuring that SSL/TLS certificates are correctly filtered and displayed when managing API configurations. This improvement enhances the reliability of certificate management workflows.
+
+The Dashboard has also been updated to use Go 1.25, and CVEs have been fixed, providing improved performance and security enhancements.
+
+For a comprehensive list of changes, please refer to the detailed [changelog](#Changelog-v5.8.14) below.
+
+#### Breaking Changes
+
+There are no breaking changes in this release.
+
+#### Dependencies
+<a id="dependencies-5.8.14"></a>
+
+##### Compatibility Matrix For Tyk Components
+
+| Gateway Version | Recommended Releases | Backwards Compatibility |
+| :---- | :---- | :---- |
+| 5.8.14   | MDCB v2.10.0     | MDCB v2.10.0 |
+|         | Operator v1.4.0 | Operator v0.17 |
+|         | Sync v2.1.7     | Sync v2.1.1 |
+|         | Helm Chart v5.2.0 | Helm all versions |
+|         | EDP v1.17.1     | EDP all versions |
+|         | Pump v1.15.0    | Pump all versions |
+|         | TIB (if using standalone) v1.7.1 | TIB all versions |
+
+##### 3rd Party Dependencies & Tools
+
+| Third Party Dependency                                       | Tested Versions        | Compatible Versions    | Comments | 
+| :------------------------------------------------------------ | :---------------------- | :---------------------- | :-------- | 
+| [Go](https://go.dev/dl/)                                     | 1.25  |  1.25  | [Go plugins](/api-management/plugins/golang) must be built using Go 1.25 | 
+| [Redis](https://redis.io/download/)  | 6.2.x, 7.x  | 6.2.x, 7.x  | Used by Tyk Gateway | 
+| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3)| v3.0.x                 | v3.0.x                 | Supported by [Tyk OAS](/api-management/gateway-config-tyk-oas) |
+
+Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
+
+#### Deprecations
+
+There are no deprecations in this release.
+
+#### Upgrade instructions
+<a id="upgrade-5.8.14"></a>
+
+If you are upgrading to 5.8.14, please follow the detailed [upgrade instructions](#upgrading-tyk).
+
+#### Downloads
+
+- [Docker Image to pull](https://hub.docker.com/r/tykio/tyk-dashboard/tags?page=&page_size=&ordering=&name=v5.8.14)
+  - ```bash
+    docker pull tykio/tyk-dashboard:v5.8.14
+    ```
+- Helm charts
+  - [tyk-charts v5.2.0](/developer-support/release-notes/helm-chart#5-2-0-release-notes)
+
+#### Changelog
+<a id="Changelog-v5.8.14" data-scroll-offset></a>
+
+##### Changed
+
+<AccordionGroup>
+
+<Accordion title='Updated Dashboard to Go 1.25'>
+Updated the Tyk Dashboard to use Go 1.25, ensuring compatibility with the latest Go runtime features and reducing exposure to potential security vulnerabilities in older versions.
+</Accordion>
+
+</AccordionGroup>
+
+##### Fixed
+
+<AccordionGroup>
+
+<Accordion title='Fixed JavaScript Regex Unicode Escape Sequence Handling in OpenAPI Import'>
+Resolved an issue where JavaScript-style Unicode regex patterns in OpenAPI specifications failed validation during API import. Previously, when regex patterns containing Unicode escape sequences (like `\u0000-\u017f`) were defined with single quotes in YAML, the YAML-to-JSON conversion process would double-escape the backslashes, transforming valid `\u` sequences into invalid `\\u` sequences that were rejected by Tyk's regex validator.
+
+The system now automatically translates these escape sequences during API ingestion, ensuring that OpenAPI specifications with JavaScript regex patterns import successfully regardless of whether single or double quotes are used in the YAML definition.
+</Accordion>
+
+<Accordion title='Fixed Dashboard Certificate Filter for APIs'>
+Resolved an issue where the Dashboard's "Filter by API" feature on the TLS/SSL Certificates page did not return all certificates linked to an API. Previously, the filter only displayed certificates used for client-to-gateway static mTLS, ignoring certificates used for gateway-to-upstream mTLS, custom domain certificates, and certificate pinning. This resulted in incomplete and misleading results for users trying to view all certificates actively used by a given API.
+
+The Dashboard now correctly returns all certificate types when filtering by API.
+</Accordion>
+
+</AccordionGroup>
+
+##### Security Fixes
+
+<AccordionGroup>
+
+<Accordion title='CVE fixed'>
+Addressed CVEs reported in dependent libraries, providing increased protection against security
+vulnerabilities, including, but not limited to:
+
+- <a href="https://cvereports.com/reports/GHSA-6G7G-W4F8-9C9X" target="_blank">GHSA-6g7g-w4f8-9c9x</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33186" target="_blank">CVE-2026-33186</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-29063" target="_blank">CVE-2025-29063</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33487" target="_blank">CVE-2026-33487</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-15558" target="_blank">CVE-2025-15558</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-1229" target="_blank">CVE-2026-1229</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39883" target="_blank">CVE-2026-39883</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39882" target="_blank">CVE-2026-39882</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33762" target="_blank">CVE-2026-33762</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34165" target="_blank">CVE-2026-34165</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-62718" target="_blank">CVE-2025-62718</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-40175" target="_blank">CVE-2026-40175</a>
+
+</Accordion>
+
+</AccordionGroup>
+
+
+---
+
 ### 5.8.12 Release Notes
 
 #### Release Date 11 March 2026

developer-support/release-notes/gateway.mdx

@@ -1503,6 +1503,180 @@ Upgraded to use the latest upstream version of kin-openapi (v0.132.0). This ensu
 
 ## 5.8 Release Notes
 
+### 5.8.14 Release Notes 
+
+#### Release Date xx April 2026
+
+#### Release Highlights
+
+This patch release addresses several issues affecting TLS configuration, authentication, and API functionality. Key fixes include resolving client mTLS authentication problems between Tyk Gateways, restoring TLS 1.3 as the default gateway TLS version, and correcting CORS preflight handling with the AllowList middleware. Additionally, the release resolves analytics generation issues for OAS API mock endpoints and ensures OpenTelemetry configuration files are properly recognized.
+
+The Gateway and Plugin Compiler have been updated to Go 1.25, providing improved performance and security enhancements.
+
+For a comprehensive list of changes, please refer to the detailed [changelog](#Changelog-v5.8.14) below.
+
+#### Breaking Changes
+**1. Query parameter handling in Tyk internal loops (tyk://) now requires explicit configuration**
+
+In Tyk Gateway version 5.8.14, we have fixed inconsistent query parameter behavior in URL rewrites using Tyk internal loops (`tyk://api-id/path`). Previously, query parameters added to the `rewrite_to` URL were silently dropped, while original request parameters were automatically preserved. This behavior was inconsistent with standard HTTP URL rewrites and prevented proper parameter transformation during internal API routing.
+
+**Impact**
+- Original request query parameters are no longer automatically forwarded through internal loops
+- Existing URL rewrite configurations may lose query parameters that were previously passed through automatically
+- APIs relying on automatic parameter forwarding will receive incomplete requests
+
+**Migration Required**
+Update your URL rewrite configurations to explicitly include any original query parameters you want to preserve. For example:
+- **Before:** `"rewrite_to": "tyk://api-123/endpoint"` (original params auto-forwarded)
+- **After:** `"rewrite_to": "tyk://api-123/endpoint?param1=$tyk_context.request_data.param1"`
+
+
+#### Dependencies
+<a id="dependencies-5.8.14"></a>
+
+##### Compatibility Matrix For Tyk Components
+
+| Gateway Version | Recommended Releases | Backwards Compatibility |
+| :---- | :---- | :---- |
+| 5.8.14   | MDCB v2.10.0     | MDCB v2.10.0 |
+|         | Operator v1.4.0 | Operator v0.17 |
+|         | Sync v2.1.7    | Sync v2.1.0 |
+|         | Helm Chart v5.2.0 | Helm all versions |
+|         | Pump v1.15.0    | Pump all versions |
+
+##### 3rd Party Dependencies & Tools
+<a id="3rdPartyTools-v5.8.14"></a>
+
+| Third Party Dependency                                       | Tested Versions        | Compatible Versions    | Comments | 
+| :------------------------------------------------------------ | :---------------------- | :---------------------- | :-------- | 
+| [Go](https://go.dev/dl/)                                     | 1.25  |  1.25  | [Go plugins](/api-management/plugins/golang) must be built using Go 1.25 | 
+| [Redis](https://redis.io/download/)  | 6.2.x, 7.x  | 6.2.x, 7.x  | Used by Tyk Gateway | 
+| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3)| v3.0.x                 | v3.0.x                 | Supported by [Tyk OAS](/api-management/gateway-config-tyk-oas) |
+
+Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
+
+#### Deprecations
+
+There are no deprecations in this release.
+
+#### Upgrade instructions
+<a id="upgrade-5.8.14"></a>
+
+If you are upgrading to 5.8.14, please follow the detailed [upgrade instructions](#upgrading-tyk).
+
+#### Downloads
+
+- [Docker Image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=&page_size=&ordering=&name=v5.8.14)
+  - ```bash
+    docker pull tykio/tyk-gateway:v5.8.14
+    ```
+- Helm charts
+  - [tyk-charts v5.2.0](/developer-support/release-notes/helm-chart#5-2-0-release-notes)
+
+- [Source code tarball of Tyk Gateway v5.8.14](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.14)
+
+#### Changelog
+<a id="Changelog-v5.8.14" data-scroll-offset></a>
+
+##### Changed
+
+<AccordionGroup>
+
+<Accordion title='Updated Gateway and Plugin Compiler to Go 1.25'>
+Updated the Tyk Gateway and Plugin Compiler to use Go 1.25, ensuring compatibility with the latest Go runtime features and reducing exposure to potential security vulnerabilities in older versions.
+</Accordion>
+
+</AccordionGroup>
+
+##### Fixed
+
+<AccordionGroup>
+
+<Accordion title='Fixed Log Level for Client TLS Certificate Requirement Errors'>
+Resolved an issue where "Client TLS certificate is required" errors were logged at WARNING level, creating unnecessary noise in production logs. Previously, these common client-side authentication failures generated excessive warning-level log entries that could trigger false alerts and obscure more critical issues. The Gateway now logs these authentication failures at INFO level, maintaining security visibility while reducing log noise and alert fatigue for operations teams.
+</Accordion>
+
+<Accordion title='Fixed malformed responses from Go plugins returning error status codes'>
+Resolved an issue where Go plugins returning error status codes caused duplicate `response.WriteHeader` calls, resulting in malformed response bodies that concatenated the original plugin response with additional Gateway error messages. 
+
+The Gateway now properly handles plugin-generated error responses without double-writing headers, ensuring response bodies contain only the original plugin content and eliminating superfluous WriteHeader warnings in logs.
+</Accordion>
+
+<Accordion title='Fixed query parameter handling in Tyk internal loops (tyk://)'>
+Resolved inconsistent query parameter handling in URL rewrites using Tyk internal loops (`tyk://api-id/path`). Previously, custom query parameters specified in the `rewrite_to` URL were silently dropped, while original request parameters were unexpectedly preserved.
+
+**What's Fixed:**
+- Query parameters explicitly added to `rewrite_to` URLs are now correctly passed to target APIs
+- Control parameters (`method`, `loop_limit`, `check_limits`) are properly consumed and removed
+- Behavior now matches standard HTTP URL rewrites for consistency
+
+Original request query parameters are no longer automatically forwarded through internal loops. Update your URL rewrite configurations to explicitly include any required parameters in the `rewrite_to` URL.
+</Accordion>
+
+<Accordion title='Fixed Client mTLS Authentication Between Tyk Gateways'>
+Resolved an issue where a Tyk Gateway acting as a client (using upstream mTLS) would fail to authenticate against another mTLS-protected Tyk Gateway or upstream server, resulting in `HTTP 403 Forbidden: "Client TLS certificate is required"` errors.
+
+The Gateway now reliably presents the configured upstream client certificate whenever requested by the target server, ensuring seamless mTLS communication between gateways and other upstream services.
+</Accordion>
+
+<Accordion title='Fixed Default Gateway TLS Version to TLS 1.3'>
+Resolved an issue where the Tyk Gateway default maximum TLS version was incorrectly set to TLS 1.2 instead of TLS 1.3.
+
+Tyk Gateway now follows Go's native TLS defaults (TLS 1.2 minimum, TLS 1.3 maximum), aligning with industry security standards. This maintains full backward compatibility for existing deployments that explicitly configure TLS versions.
+
+To change the maximum TLS version, you must now explicitly set `TYK_GW_HTTPSERVEROPTIONS_MAXVERSION` for client-to-Gateway connections or `TYK_GW_PROXYSSLMAXVERSION` for Gateway-to-upstream connections.
+
+To change the minimum TLS version, you must now explicitly set `TYK_GW_HTTPSERVEROPTIONS_MINVERSION` for client-to-Gateway connections or `TYK_GW_PROXYSSLMINVERSION` for Gateway-to-upstream connections.
+</Accordion>
+
+<Accordion title='Fixed CORS Preflight Blocking by AllowList Middleware'>
+Resolved an issue where CORS preflight OPTIONS requests were incorrectly blocked by the AllowList middleware when `options_passthrough` was disabled. Previously, when APIs had CORS enabled with Tyk handling OPTIONS requests internally (`options_passthrough: false`), preflight requests would fail AllowList validation because users typically don't explicitly define OPTIONS endpoints in their AllowList configurations, causing "Requested endpoint is forbidden" errors.
+
+The Tyk Gateway now properly recognizes CORS preflight requests and allows them to bypass AllowList middleware checks when Tyk is configured to handle OPTIONS internally, restoring the expected behavior where CORS preflight handling works automatically without requiring explicit OPTIONS endpoint definitions.
+</Accordion>
+
+<Accordion title='Fixed Analytics Generation for OAS API Mock Endpoints'>
+Resolved an issue where OAS APIs with mock endpoints stopped generating analytics data. Previously, analytics were properly captured for mock responses in OAS APIs since the Mock Middleware executes at the end of the middleware chain, but this functionality was inadvertently broken while fixing an unrelated internal API proxying issue.
+
+Tyk Gateway now correctly generates analytics for OAS API mock endpoints while maintaining the existing behavior for Classic APIs, which intentionally do not generate analytics for mock endpoints, as it is documented.
+</Accordion>
+
+<Accordion title='Fixed OpenTelemetry Configuration File Settings Being Ignored'>
+Resolved an issue where OpenTelemetry settings in the Gateway configuration file were not being applied. Previously, when users configured OpenTelemetry via the `opentelemetry` section in the Gateway config file (including `enabled`, `exporter`, and `endpoint` fields), these settings were ignored, and only environment variables like `TYK_GW_OPENTELEMETRY_ENABLED` would take effect. 
+Tyk Gateway now properly reads and applies OpenTelemetry configuration from the config file as documented.
+</Accordion>
+
+<Accordion title='Resolved issue with Gateway entering an unresponsive state during registration failures'>
+Fixed an issue where the Gateway would fail to load APIs and policies if the Dashboard database was temporarily unavailable during startup. The Gateway will now automatically retry loading configurations with exponential backoff until successful, restoring self-healing capabilities without requiring a manual restart.
+</Accordion>
+
+<Accordion title='Fixed error response format for SOAP+XML requests'>
+Resolved an issue where requests with the `application/soap+xml` Content-Type received JSON-formatted error responses instead of the expected XML format. The Gateway now correctly returns XML-formatted errors for SOAP requests.
+</Accordion>
+
+</AccordionGroup>
+
+##### Security Fixes
+
+<AccordionGroup>
+
+<Accordion title='CVE fixed'>
+Addressed CVEs reported in dependent libraries, providing increased protection against security
+vulnerabilities, including, but not limited to:
+
+- <a href="https://cvereports.com/reports/GHSA-6G7G-W4F8-9C9X" target="_blank">GHSA-6g7g-w4f8-9c9x</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33186" target="_blank">CVE-2026-33186</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-15558" target="_blank">CVE-2025-15558</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39883" target="_blank">CVE-2026-39883</a>
+- <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39882" target="_blank">CVE-2026-39882</a>
+
+</Accordion>
+
+</AccordionGroup>
+
+
+---
+
 ### 5.8.12 Release Notes
 
 #### Release Date 11 March 2026

developer-support/release-notes/overview.mdx

@@ -11,7 +11,7 @@ export const releaseData = {
       "licensed": true,
       "latest": "5.12.0",
       "releaseNotesPath": "developer-support/release-notes/dashboard",
-      "lts": "5.8.12",
+      "lts": "5.8.14",
       "latestData": {
         "name": "5.12.0",
         "date": "06/03/2026",
@@ -74,7 +74,7 @@ export const releaseData = {
       "licensed": false,
       "latest": "5.12.0",
       "releaseNotesPath": "developer-support/release-notes/gateway",
-      "lts": "5.8.12",
+      "lts": "5.8.14",
       "latestData": {
         "name": "5.12.0",
         "date": "06/03/2026",