Dapr open source version support
D3E maintains full compatibility with Dapr open source while adding additional enterprise features. It maintains 100% compatibility with the open-source Dapr APIs and SDKs and can serve as a drop-in replacement in your existing systems. Two versions are supported at a time: the current stable version and the previous minor version.
Support Policy
It's your operational responsibility to stay current with supported versions. Upgrading from older versions may require intermediate (off-by-one) upgrades. See Dapr's version support policy for more information.
Supported D3E versions
The following table showcases which versions are currently supported in D3E mapping to the equivalent open-source version with additional custom features per patch. It uses the format: <open-source-version>-d3e.<D3E-patch-version> and the associated open source version is detailed on the Dapr Release Notes.
| D3E version | ARM64 features | AMD64 features | Operating system | Notes |
|---|---|---|---|---|
| 1.14.5-d3e.6 | Multi-tenant control plane, namespace isolation, reduced permission set, and configurable automount for sentry service account tokens. | Multi-tenant control plane, namespace isolation, reduced permission set, and configurable automount for sentry service account tokens. | Linux | Cumulative: RBAC flags (global.rbac.crds.enabled, global.rbac.operator.enabled), serviceAccount.automount/serviceAccount.name, Oracle state store BulkGet and connect descriptors (d3e.1). OIDC oidc_private_key_jwt auth for Kafka (d3e.2). PKCS8 private key support (d3e.3). Configurable kid header for Kafka JWT auth (d3e.4). aud claim changed from array to string (d3e.6). |
| 1.15.6-d3e.3 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Cumulative: serviceAccount.create, serviceAccount.automount, serviceAccount.name (d3e.1). Fix sidecar injector crash when scheduler is disabled (d3e.2). OIDC oidc_private_key_jwt auth for Kafka (d3e.3). |
| 1.15.13-d3e.3 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Cumulative: Fix APP_API_TOKEN not passed in gRPC metadata for app callbacks, fix Pulsar OAuth token renewal (d3e.1). aud claim changed from array to string (d3e.2). Oracle BulkGet per-key error fix (d3e.3). |
| 1.16.0-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | |
| 1.16.3-d3e.2 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Cumulative: SFTP binding reconnection fix (d3e.1). aud claim changed from array to string (d3e.2). |
| 1.16.9-d3e.3 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Cumulative: Go 1.24.13 security fixes, Pulsar PubSub subscription options fix (d3e.1). Signed JWT license key validation with ECDSA P-256 and 90-day grace period (d3e.2). Oracle BulkGet per-key error fix, Go 1.25.7, CVE-2026-24051 fix (d3e.3). |
| 1.16.10-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Based on upstream Dapr 1.16.10. Pulsar PubSub Avro schema validation, WASM component registration fix, golangci-lint v2 migration. All D3E enterprise patches carried forward. |
| 1.16.12-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Based on upstream Dapr 1.16.12. RSA certificate support for sentry CA (ECDSA/RSA-2048/RSA-4096). File-based log output for sentry and sidecars (--log-file). Security fixes: CVE-2026-33186 (gRPC auth bypass), CVE-2026-34986 (JWE panic), CVE-2026-39883 (otel SDK). Pulsar Avro/JSON schema fixes, scheduler quorum recovery fix. |
| 1.16.14-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, improved scheduler reliability, RSA certificate support for sentry CA, and file-based log output for sentry and sidecars. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, improved scheduler reliability, RSA certificate support for sentry CA, and file-based log output for sentry and sidecars. | Linux | Based on upstream Dapr 1.16.14. Security fix: service invocation path traversal ACL bypass. Includes v1.16.13 fixes: scheduler streaming reconnection, components-contrib v1.16.12. All D3E enterprise patches carried forward. |
| 1.17.0-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | First D3E release based on Dapr 1.17.0. Includes workflow versioning, state retention policies, bulk PubSub API stabilization, and signed JWT license validation. |
| 1.17.1-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Based on upstream Dapr 1.17.1. All D3E enterprise patches carried forward. |
| 1.17.2-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Based on upstream Dapr 1.17.2. Adds EC and PKCS8 private key support for Kafka OIDC private_key_jwt authentication. Go 1.25.8 security fixes. |
| 1.17.3-d3e.2 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Hotfix: restores sidecar injector service account authorization fallback lost during upstream v1.17.3 merge. All D3E enterprise patches carried forward. |
| 1.17.4-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, and improved scheduler reliability. | Linux | Based on upstream Dapr 1.17.4. RSA certificate support for sentry CA (ECDSA/RSA-2048/RSA-4096). File-based log output for sentry and sidecars (--log-file). Security fixes: CVE-2026-34986 (JWE panic), CVE-2026-39883 (otel SDK). Scheduler streaming reconnection, placement dissemination timeout, workflow ContinueAsNew event fixes, hop-by-hop header stripping. |
| 1.17.5-d3e.1 | Multi-tenant control plane, namespace isolation and reduced permission set, configurable automount for sentry service account tokens, improved scheduler reliability, RSA certificate support for sentry CA, and file-based log output for sentry and sidecars. | Multi-tenant control plane, namespace isolation, reduced permission set, configurable automount for sentry service account tokens, improved scheduler reliability, RSA certificate support for sentry CA, and file-based log output for sentry and sidecars. | Linux | Based on upstream Dapr 1.17.5. Security fix: service invocation path traversal ACL bypass. All D3E enterprise patches carried forward. |