update important changes docs

jaireddjawed · jaireddjawed · commit c06dbaf4f768 · 2025-10-16T08:37:03.000-07:00
diff --git a/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx b/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx
@@ -12,7 +12,7 @@ The Vault 1.16.x upgrade guide contains information on deprecations, important
 or breaking changes, and remediation recommendations for anyone upgrading from
 Vault 1.15. **Please read carefully**.
 
-## Breakding changes
+## Breaking changes
 
 @include '../../../global/partials/important-changes/breaking-changes/cve-2025-6000.mdx'
 
diff --git a/content/vault/v1.16.x/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx b/content/vault/v1.16.x/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx
@@ -8,24 +8,50 @@
 - 1.16.4
 
 #### Issue
-A behavior change was made in the jwt auth plugin to address CVE-2024-5798.
-Since the behavior change was a breaking change, we reverted the change in
-the versions after 1.15.10 and 1.16.4. However, the behavior change will go
-into effect in 1.17.
-
-The new behavior requires that the `bound_audiences` parameter of "jwt" roles
-**must** match at least one of the JWT's associated `aud` claims. The `aud`
-claim can be a single string or a list of strings as per
+
+A behavior change was introduced in the **JWT auth plugin** to address **CVE-2024-5798**.
+Because this change introduced breaking behavior, it was **reverted** in versions **after 1.15.10 and 1.16.4**.
+However, the change was **reintroduced in version 1.17+**.
+
+The updated behavior enforces stricter validation of the `bound_audiences` parameter in JWT roles.
+
+- The `bound_audiences` parameter **must** match at least one of the JWT’s `aud` (audience) claims.
+- The `aud` claim can be a single string or an array of strings, as defined in
 [RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).
 
-Users may not be able to log into Vault if the JWT role is configured
-incorrectly. For additional details, refer to the
+Once a JWT is confirmed to be properly signed and not expired, Vault performs additional authorization checks to ensure that configured “bound”
+parameters match the corresponding claims in the token.
+
+For **roles of type `jwt`**:
+
+- The `bound_audiences` parameter is **required** when an `aud` claim is present.
+- The value of `bound_audiences` must **exactly match** at least one of the provided `aud` claims.
+
+Additionally, roles can validate arbitrary claim values using the `bound_claims` map.
+
+```json
+{
+  "division": "Europe",
+  "department": "Engineering"
+}
+```
+
+Only JWTs containing both the "division" and "department" claims, and respective matching values of "Europe" and "Engineering", would be authorized.
+If the expected value is a list, the claim must match one of the items in the list. To limit authorization to a set of email addresses:
+
+```json
+{
+  "email": ["fred@example.com", "julie@example.com"]
+}
+```
+
+For additional details, refer to the
 [JWT auth method (API)](/vault/api-docs/auth/jwt) documentation.
 
 See this [issue](https://github.com/hashicorp/vault/issues/27343) for more details.
 
 #### Workaround
 
 Configure the `bound_audiences` parameter of "jwt" roles to match at least one
-of the JWT's associated `aud` claims. This configuratoin will be required for
+of the JWT's associated `aud` claims. This configuration will be required for
 1.17 and later.
