205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

security: add item to intended behavior section of security policy (cherry-pick #21430 to version-2026.2) (#21432)

Browse Source 
security: add item to intended behavior section of security policy (#21430)

Add section

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
This commit is contained in:
authentik-automation[bot]
2026-04-07 13:50:40 +02:00
committed by GitHub
parent faffabf938
commit 63136f0180
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY.md
+8 -4
View File
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
(.x being the latest patch release for each version)
| Version | Supported |
| ---------- | ---------- |
| 2025.12.x | ✅ |
| 2026.2.x | ✅ |
| Version | Supported |
| --------- | --------- |
| 2025.12.x | ✅ |
| 2026.2.x | ✅ |
## Reporting a Vulnerability
@@ -90,6 +90,10 @@ Prompts intentionally allow raw HTML, including script tags, so they can be used
Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
- Outgoing network requests are not filtered.
The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
## Disclosure process
1. Report from Github or Issue is reported via Email as listed above.