This is a prerelease version.

View latest

Release Notes

5.10-SNAPSHOT 5.9 5.8 5.7 5.6 5.5 5.4 5.3 5.2 5.1 5.0

These release notes list any new features, enhancements, fixes, security issues and breaking changes that were made for Hazelcast Management Center.

5.9.0

For help downloading Hazelcast Management Center, see Install and start Management Center.

Release date: 2025-10-15

New features

  • Dynamic diagnostic logging (Beta): Diagnostic logging can now be controlled dynamically (i.e. at runtime) through Management Center without requiring a cluster restart. An optional auto-off timer can also be configured.

For more information, see Diagnostic logging.

Enhancements

  • TCP write queue metrics exposed: tcp_connection_out_writeQueuePendingBytes and priorityWriteQueuePendingBytes metrics are now available by default, improving visibility into network performance without requiring diagnostic logging. This information is available via JMX endpoint on the members and via Management Center’s Prometheus Exporter.

  • Prometheus metrics format updated: As part of the continued implementation of the improved Prometheus Exporter format, this update improves metrics formats for Events, Listeners, Operation, Threads, Memory, OS, GC, Capacity, Runtime, Operations and Threads. To prevent breaking changes in existing implementations, both the new and old Prometheus metrics formats are available. See Prometheus metrics.

  • hz-mc command now displays the existing security configuration: When running the hz-mc conf security get command, the current security provider is included in the output. This makes it easy to validate the Management Center security provider settings (all passwords are automatically masked).

  • Search field added to MC CP Sessions Metrics table: You can now search for the session ID within the CP Session table to find a specific entry quickly.

  • Maps listing shows which maps have indexes: This enhancement adds a column to the map listing to show whether the map has indexes enabled.

  • Time travel enhancement: Selecting the time to jump back to has been made easier as you can now set the amount and jump back in minutes or hours.

Fixes

  • Selected page persistence within tables: Resolves an issue where customers selected a page within a paginated table view, and the panel would revert to Page 1 instead of staying on the selected page.

  • JAVA_HOME variable in the hz-mc script: Previously, the hz-mc script did not reference the $JAVA variable at runtime, where it was not used when loading Management Center. This fix ensures that the script consistently references $JAVA, preventing unexpected behavior.

  • The "Create new WAN Replication” button is missing role protection: Previously, the Create new WAN Replication button was shown to roles that did not have permission to execute that action. The fix now makes the button invisible for roles that do not have permission (Read-only and Metrics-only MC roles).

  • Improved contrast ratio in the original console: The contrast of the text against the background was poor in Management Center’s original console and has now been improved to ensure better readability.

  • CLC client config now relies on the list of active members rather than on the initial cluster setup: Every time Management Center initializes CLC, it recreates the config with an up-to-date list of data-member nodes in the cluster based on the current connection. This fixes an issue where, previously, CLC would try to connect to a member that was no longer in the cluster.

  • Unable to update expired license using the hz-mc tool when MC is not running: Resolves an issue in which an expired license could not be replaced using the hz-mc tool when Management Center was shut down.

  • When browsing a map entry, MC can now read the properties of undefined map entries: Resolves an issue where Management Center would display an error when trying to initialize an undefined property.

Security

  • CVE-2025-48924: Resolved https://nvd.nist.gov/vuln/detail/CVE-2025-48924 to fix a vulnerability in Apache Commons Lang that prevents uncontrolled recursions, which could lead to denial of service conditions.

  • CVE-2024-47554: Resolved https://nvd.nist.gov/vuln/detail/CVE-2024-47554 to fix a vulnerability in Apache Commons IO that could excessively consume CPU resources when processing maliciously crafted input, leading to potential denial of service attacks.

  • CVE-2025-22871 - (Go net/http Request Smuggling) in Management Center 5.8.0: Resolved https://nvd.nist.gov/vuln/detail/CVE-2025-22871 to fix a flaw in Go’s standard library net/http package. As CLC does not operate as a server, it was not affected by this vulnerability.

  • CVE-2025-21613 - (go-git Argument Injection): Resolved https://nvd.nist.gov/vuln/detail/CVE-2025-21613 to fix an argument injection vulnerability in go-git dependency. As CLC does not operate as a server, it was not affected by this vulnerability.

  • CVE-2024-45337 - (golang.org/x/crypto SSH Authorization Bypass): Resolved https://nvd.nist.gov/vuln/detail/CVE-2024-45337 to fix an authorization bypass. As CLC does not operate as a server, it was not affected by this vulnerability.

  • Users can now see own role: When signed into Management Center, users are unable to see the role they were assigned when using an external security provider. Their role in Management Center is now visible in the pull-down menu in the upper right corner after the username.

  • License key masked in the logs: The license key is now masked in the log files. Only a few characters at the start and end of the key will be shown in the logs. For example: hazelcast.licensekey=eyJhb***dDw==.

  • Masking sensitive data passed via JAVA_OPTS, such as SSL Store passwords: Sensitive data, including SSL passwords, was being printed within the Management Center logs when passed via JAVA_OPTS. A new option maskOpts has been introduced, that allows you to specify which options should be masked in the logs.

lifebuoy

Help and support