chore(deps): update dependency hashicorp/vault to v1.20.4

This MR contains the following updates:

Package	Update	Change
hashicorp/vault	patch	1.20.3 -> 1.20.4

View the Renovate pipeline for this MR

---

Release Notes

hashicorp/vault (hashicorp/vault)

v1.20.4

Compare Source

September 24, 2025

SECURITY:

• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. (ce4b4264)

CHANGES:

• database/snowflake: Update plugin to v0.14.2 (9f06df77)

IMPROVEMENTS:

• Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions. (1fd38796)
• auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer. [GH-31501]
• secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot. (24cd1aa5)
• secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only). (0087af9d)

BUG FIXES:

• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. [GH-31438]
• core: Role based quotas now work for cert auth (fc775dea)
• sys/mounts: enable unsetting allowed_response_headers [GH-31555]
• ui: Fix page loading error when users navigate away from identity entities and groups list views. (81170963)

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.