website/docs: 2026.5.2 release notes (#22721)

* website/docs: 2026.5.1 release notes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* spellcheck

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fixup

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* whoops

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

website/docs/releases/2026/v2026.5.md

@@ -3,6 +3,8 @@ title: Release 2026.5
 slug: "/releases/2026.5"
 ---
 
+<!-- spellchecker:ignore fqxr xjjx -->
+
 ## Highlights
 
 - **Account Lockdown**: :ak-enterprise A new panic button for compromised accounts that can immediately cut off access, revoke tokens, end sessions, and leave an audit trail.
@@ -497,6 +499,22 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.5
 - web/styles: switch to upstream RedHat variable fonts and brighten orange palette (#21509)
 - web/table: fetch on first render when already visible (cherry-pick #22376 to version-2026.5) (#22438)
 
+## Fixed in 2026.5.1
+
+This release has been skipped.
+
+## Fixed in 2026.5.2
+
+- endpoints/connectors/agent: allow federated auth via ssh hostkey lookup (cherry-pick #22594 to version-2026.5) (#22597)
+- enterprise/providers/scim: fix last_updated for OAuth interactive (cherry-pick #22678 to version-2026.5) (#22700)
+- events: fix Event.log_deprecation not checking that cause is a string (cherry-pick #22598 to version-2026.5) (#22683)
+- packages/ak-common/db: fix certificates options not allowing file paths (cherry-pick #22680 to version-2026.5) (#22685)
+- packages/ak-common/db: fix conn_max_age causing spinning (cherry-pick #22679 to version-2026.5) (#22686)
+- providers/oauth2: fix session decode when upgrading from 2026.2 (cherry-pick #22684 to version-2026.5) (#22692)
+- security: CVE-2026-47201
+- security: GHSA-wr38-7xg8-fqxr
+- security: GHSA-xp7f-xjjx-gwm8
+
 ## API Changes
 
 ### authentik (v 2026.5.0)