Cerbos PDP v0.52.0/v0.53.0: Engine performance, security hardening, and CEL path functions

The last two Cerbos releases focus on the parts of the PDP that don't usually make headlines but matter every time a request hits the engine: faster decision generation, tighter security around JWT handling, and a handful of bug fixes that close out long-standing edge cases. v0.52.0 lands meaningful performance work and new CEL path functions, while v0.53.0 hardens the JWT verification flow and resolves a query plan regression introduced in v0.50.

Engine performance

v0.52.0 delivers "significant" optimizations to the internal policy engine data structures. Decision generation time is reduced and the PDP consumes less CPU and memory under load. There are no API changes required to pick up the improvements, upgrading is enough. We will be releasing an engineering deep dive on his work soon for those curious.

CEL path functions

Policy authors can now work with file paths directly inside CEL expressions. v0.52.0 adds:

• basePath
• dirPath
• extPath
• joinPath
• pathHasPrefix
• pathMatch
• pathMatchAnyOf
• relPath
• volumeName

These remove a class of awkward string manipulation when writing rules over file or object-storage paths.

Hub authentication

A new cerbosctl hub auth command stores Cerbos Hub credentials securely in the operating system's key ring. Subsequent hub commands pick up the saved credentials automatically, removing the need to re-authenticate or pass tokens through environment variables for every invocation.

Audit log enhancements

Audit log entries now include version metadata, commit hash and bundle ID, making it easier to correlate decisions with the exact policy artefact that produced them. This is particularly useful for teams running multiple bundle versions across environments or investigating decisions after a rollout.

Security: JWT verification cache removed

v0.53.0 removes the in-memory cache for verified JWTs. The original cache reduced cryptographic verification overhead, but it has been retired because "an attacker could inject a tampered token with the same signature as an already verified token and influence policy decisions that rely on token information."

This is not classified as a vulnerability, the PDP's threat model assumes trusted calling applications, but the cache was removed "out of an abundance of caution." If your deployment relied on the cache for performance, expect a small increase in verification work per request and size your PDP accordingly.

Bug fixes

Both releases include several fixes worth calling out:

• Query plan scope overrides (v0.53.0): A regression introduced in v0.50 caused PlanResources to return KIND_ALWAYS_DENIED when an unconditional DENY at a parent scope was overridden by a child scope using SCOPE_PERMISSIONS_OVERRIDE_PARENT. The override now applies correctly.
• Streaming Content-Type (v0.53.0): ListAuditLogEntries now returns application/x-ndjson for its newline-delimited JSON responses, fixing rendering in API explorer UIs.
• Role policy deletion (v0.52.0): Deleted role policies no longer retain parent role relationships in the index after removal.
• Directory watch (v0.52.0): Renaming a policy file no longer drops it from the index.

Breaking change: OpenTelemetry Semantic Conventions

v0.52.0 upgrades to OpenTelemetry Semantic Conventions 1.39.0. Some span and metric attributes have been renamed or restructured, which may affect existing dashboards, alerts, and trace queries. Review your observability configuration before upgrading and update any queries that reference attribute names that have changed upstream.

Upgrade notes

• Pick up v0.53.0 directly from any v0.51.x release, the changes in v0.52.0 are included.
• Audit any custom dashboards or alerts that depend on OpenTelemetry attribute names.
• If you're running policies that rely on JWT claims at high request rates, confirm your PDP has headroom for the additional verification work now that the cache is gone.

For the full changelogs, see the v0.52.0 release notes and the v0.53.0 release notes.