What's New in HiveMQ 4.53?

by HiveMQ Team

Jun 30, 2026

The HiveMQ team is excited to announce the release of HiveMQ Enterprise MQTT Platform 4.53. This release adds SASL/OAUTHBEARER authentication support to the HiveMQ Enterprise Extension for Kafka and QoS 1 delivery guarantees to the HiveMQ Data Lake Extension. 4.53 also introduces runtime deprecation warnings for the APIs and bridge extension configurations that change in the next LTS, Control Center v2 enhancements, and broker fixes and improvements.

Highlights

SASL/OAUTHBEARER Authentication Support in the HiveMQ Enterprise Extension for Kafka
QoS 1 Message Delivery with the HiveMQ Enterprise Data Lake Extension

TIP: HiveMQ 4.53 introduces runtime deprecation warnings to flag the APIs and bridge extension configurations that will change in the upcoming LTS release. See Get a Head Start on Your LTS Upgrade for details.

NOTE: HiveMQ 4.53 updates the HiveMQ Enterprise Extension for Kafka client version to Kafka client 4.2. The new Kafka client version requires a minimum Kafka broker version of 2.1. Starting with HiveMQ 4.53, Kafka version 2.1 is the new minimum requirement.

SASL/OAUTHBEARER Authentication in the HiveMQ Enterprise Extension for Kafka

HiveMQ 4.53 adds a new authentication option to the HiveMQ Enterprise Extension for Kafka. SASL/OAUTHBEARER authentication provides secure, OAuth 2.0-compliant access to your Apache Kafka clusters. This mechanism enables the OAuth 2.0 framework in a non-HTTP context and is defined in RFC 7628.

How it works

When you enable the SASL/OAUTHBEARER authentication mechanism, the HiveMQ Enterprise Extension for Kafka requests a bearer token from the configured token endpoint and presents it to the Kafka brokers.

Example SASL/OAUTHBEARER authentication configuration:

    <kafka-clusters>
    <kafka-cluster>
        ...
        <authentication>
            <oauthbearer>
                <token-endpoint-url>https://auth.example.com/oauth2/token</token-endpoint-url>
                <client-id>kafka-client</client-id>
                <client-secret>${ENV:KAFKA_OAUTH_CLIENT_SECRET}</client-secret>
                <scope>kafka</scope>
            </oauthbearer>
        </authentication>

    </kafka-cluster>
</kafka-clusters>

How it helps

SASL/OAUTHBEARER authentication gives you another way to secure access to your Kafka clusters. You can use this new option to integrate with identity and access management systems such as Keycloak, Okta, and MS Entra ID. For details, see our documentation.

HiveMQ Enterprise Data Lake Extension Adds QoS 1 Message Guarantees

HiveMQ 4.53 adds QoS 1 message guarantees to the HiveMQ Enterprise Data Lake Extension. The extension writes MQTT messages into Parquet files and uploads them to AWS S3 or Azure Blob storage. If the file upload fails, QoS 1 messages are retried in subsequent uploads. Standard HiveMQ extension queuing applies if the connection to AWS S3 or Azure Blob storage is interrupted.

How it works

The Data Lake extension now retries QoS 1 messages when a failure occurs to ensure at least once delivery is guaranteed. For example, if an upload fails with a duplicate file exception, the extension appends a unique timestamp to the file name and retries the upload.

How it helps

The extension now applies the appropriate guarantee to each service level. QoS 0 messages are not retried on failure. QoS 1 messages are retried until they are delivered, which prevents data loss during temporary failures. For details, see our documentation.

Get a Head Start on Your LTS Upgrade

The next HiveMQ LTS release will introduce breaking changes in the HiveMQ Enterprise Extension SDK and HiveMQ Enterprise Bridge Extension configuration. To give operators and extension authors clear, actionable warnings before they upgrade, HiveMQ 4.53 logs deprecation notices at runtime for each API or configuration affected.

How it works

When you call a deprecated Enterprise Extension SDK method, the HiveMQ broker logs a warning that identifies the method and the upcoming change. The 4.53 release covers the following methods:

ControlCenterService.addView() and ControlCenterService.addViews(): removed in the next LTS as part of the Control Center v1 retirement.
LoginLoadOutput.showLoginComponents(): removed in the next LTS as part of the Control Center v1 retirement.
RestServicePerExtension.setRestApplication(): extensions that register a RestApplication currently depend on javax.ws.rs (JAX-RS 2.x). When HiveMQ migrates to Jakarta EE 10, these extensions will break unless you update them to the Jakarta package namespace.

The HiveMQ Enterprise Bridge Extension adds a startup warning that TLS hostname verification will be enabled by default with the next HiveMQ LTS release. The warning names the affected bridge client and the target hostname, so you can update the certificate or hostname configuration before you upgrade to the next HiveMQ LTS.

How it helps

Silent breaking changes are the most difficult to plan for. HiveMQ 4.53 logs these warnings to give you a clear inventory of what needs attention in your extensions and bridge configurations before the next LTS release. Early notification helps you prioritize work, coordinate with extension authors, and prepare for the LTS upgrade on your own schedule.

More Noteworthy Features and Improvements

HiveMQ Enterprise MQTT Broker

Increased the receive buffer size for HiveMQ bridge client connections.
Fixed a rare merge replication condition that could cause dropped messages.
Fixed an endless retry loop that occurred while the broker read inflight messages from a client queue.
Added TCP memory metrics (com.hivemq.system.os.network.tcp.memory.pages.used and com.hivemq.system.os.network.tcp.memory.pages.max) to monitor current TCP memory usage and the configured system limit on Linux deployments.
Improved diagnostic archive security by automatically redacting the values of environment variables and JVM system properties whose key names contain sensitive terms.
Added an option to designate the bootstrap node for Data Intelligence clustering, using the environment variable HIVEMQ_CLUSTERING_BOOTSTRAP or the JVM system property hivemq.clustering.bootstrap.

HiveMQ Enterprise Bridge Extension

Added a configuration option to enable TLS hostname verification.

HiveMQ Enterprise Security Extension

Fixed incorrect target tables for several indexes and triggers in the packaged SQL create scripts for PostgreSQL and MySQL.

HiveMQ Control Center v2

Expanded the Clients tab of the Dropped Messages details view to include the Data Hub Policy Prevented drop reason.
Enabled the sidebar and main content to scroll independently.
Adjusted the truncation of long client IDs on the Client Search page to improve readability.

HiveMQ Enterprise Extension for Kafka

Upgraded the Kafka client library, which raises the minimum supported Kafka broker version to 2.1.
Added the max-retries and add-default-providers configuration options to manage retry behavior and default providers in the AWS credential authentication flow.

HiveMQ Enterprise Extension for Snowflake

Added a metric that tracks Snowflake connection issues caused by invalid or closed channels.

Get Started Today

To upgrade HiveMQ from a previous version, follow the steps in the HiveMQ Upgrade Guide and review the Known Issues section for any considerations that could affect your deployment.

To learn more about all the features the HiveMQ Enterprise MQTT Broker offers, explore the HiveMQ User Guide.

HiveMQ Team

Team HiveMQ brings together deep expertise in MQTT, Industrial AI, IoT data streaming, UNS, and Industrial IoT protocols. Follow us for practical deployment guidance, best practices for building a secure, reliable data backbone, and insights into how we are shaping the future of connected industries.

Our mission is to transform industrial data into real-time intelligence, actionable insights, and measurable business outcomes.

Have questions or need support? Contact us . Our experts are ready to help.