diff --git a/website/docs/releases/2025/v2025.12.md b/website/docs/releases/2025/v2025.12.md
index 8210c45c36..7d825e8137 100644
--- a/website/docs/releases/2025/v2025.12.md
+++ b/website/docs/releases/2025/v2025.12.md
@@ -428,6 +428,53 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12
 - sources/oauth: Fix InvalidAudienceError in id_token fallback (cherry-pick #20096 to version-2025.12) (#20122)
 - web/admin: fix default binding order (cherry-pick #19943 to version-2025.12) (#19945)
 
+## Fixed in 2025.12.5
+
+- core: bump cbor2 from 5.8.0 to 5.9.0 (cherry-pick #21094 to version-2025.12) (#21095)
+- core: bump django from 5.2.11 to 5.2.12 (cherry-pick #20719 to version-2025.12) (#20737)
+- core: bump django from v5.2.12 to 5.2.13 (cherry-pick #21520 to version-2025.12) (#21525)
+- docs: Add note on skipping object syncing (cherry-pick #20882 to version-2025.12) (#20893)
+- endpoints: fix infinite recursion in stage with unsupported connector (cherry-pick #20485 to version-2025.12) (#20513)
+- enterprise: add `ES384` to enterprise license algorithms (cherry-pick #20507 to version-2025.12) (#20509)
+- events: avoid implicitly setting context from login_failed event (cherry-pick #21045 to version-2025.12) (#21049)
+- flows: continuous login debug 2025.12 (#21044)
+- security: [CVE-2026-40165](../../security/cves/CVE-2026-40165) (#22275)
+- security: [CVE-2026-40166](../../security/cves/CVE-2026-40166) (#22276)
+- security: [CVE-2026-40172](https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9) (#22277)
+- security: [CVE-2026-41577](https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2) (#22278)
+- security: [CVE-2026-42849](../../security/cves/CVE-2026-42849) (#22279)
+- internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2025.12 (#22280)
+- internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2025.12 (#22281)
+- internal: fix lint (cherry-pick #22263 to version-2025.12) (#22306)
+- internal: make http timeouts configurable (cherry-pick #20472 to version-2025.12) (#20566)
+- policies: fix PolicyEngineMode ALL with static binding optimization (cherry-pick #20430 to version-2025.12) (#20523)
+- policies: measure policy process from manager (cherry-pick #20477 to version-2025.12) (#20480)
+- providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2025.12) (#21747)
+- providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2025.12) (#21798)
+- providers/oauth2: deactivate locale after testing (cherry-pick #20518 to version-2025.12) (#20525)
+- providers/oauth2: device code flow client id via auth header (cherry-pick #20457 to version-2025.12) (#21803)
+- providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2025.12) (#21749)
+- providers/proxy: move search path to query instead of runtime parameter (cherry-pick #20662 to version-2025.12) (#20692)
+- providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2025.12) (#21827)
+- providers/saml: Fix redirect for saml slo (cherry-pick #21258 to version-2025.12) (#21283)
+- providers/ldap: avoid concurrent header writes in API Client (cherry-pick #21223 to version-2025.12) (#21227)
+- root: do not rely on npm cli for version bump (cherry-pick #20276 to version-2025.12) (#20320)
+- root: fix compose generation for patch releases release candidates (cherry-pick #21353 to version-2025.12) (#21354)
+- root: update django to 5.2.14 (cherry-pick #22064 to version-2025.12) (#22065)
+- sources/ldap: fix exception in ldap debug endpoint (cherry-pick #21219 to version-2025.12) (#21220)
+- sources/saml: update handling statusmessage (cherry-pick #19739 to version-2025.12) (#20066)
+- stages/user_login: log correct user when session binding is broken (cherry-pick #20094 to version-2025.12) (#20452)
+- web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2025.12) (#21472)
+- web: Fix locale selector in compatibility mode. (cherry-pick #19946 to version-2025.12) (#20088)
+- web: re-update package-lock.json to include missing tree-sitter references
+- web/admin: fix missing OSM referrerPolicy header (cherry-pick #20984 to version-2025.12) (#20989)
+- web/admin: Fix SCIM page_size UI issue (cherry-pick #20890 to version-2025.12) (#20928)
+- web/admin: handle non-string values in formatUUID to prevent Event Log crash (cherry-pick #20804 to version-2025.12) (#21051)
+- web/flows: add continuous flow 2025.12 (#20362)
+- web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2025.12) (#21626)
+- web/packages: Rework SFE rendering (cherry-pick #21833 to version-2025.12) (#21851)
+- web/sfe: bug: polyfill needed to supply Object.assign() to IE11. (cherry-pick #20126 to version-2025.12) (#20136)
+
 ## API Changes
 
 ### authentik (v 2025.12.0-rc1)
diff --git a/website/docs/releases/2026/v2026.2.md b/website/docs/releases/2026/v2026.2.md
index 39eaa8b150..847d72ccfa 100644
--- a/website/docs/releases/2026/v2026.2.md
+++ b/website/docs/releases/2026/v2026.2.md
@@ -357,6 +357,39 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.2
 - web/flows: continuous login (cherry-pick #19862 to version-2026.2) (#20712)
 - web/rbac: disambiguate duplicate permission names in initial permissions (cherry-pick #20786 to version-2026.2) (#20805)
 
+## Fixed in 2026.2.3
+
+- blueprints: fix reconcile calling @property (cherry-pick #21576 to version-2026.2) (#21616)
+- core: bump django from v5.2.12 to 5.2.13 (cherry-pick #21520 to version-2026.2) (#21526)
+- core: fix policy binding objects not being nullable (cherry-pick #21421 to version-2026.2) (#21481)
+- core: fix search for app entitlements failing (cherry-pick #21944 to version-2026.2) (#21988)
+- endpoints: fix tasks failing (cherry-pick #20904 to version-2026.2) (#21538)
+- events: fix `destination_group_obj` not being nullable (cherry-pick #22161 to version-2026.2) (#22165)
+- security: [CVE-2026-40165](../../security/cves/CVE-2026-40165) (#22282)
+- security: [CVE-2026-40166](../../security/cves/CVE-2026-40166) (#22283)
+- security: [CVE-2026-40172](https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9) (#22284)
+- security: [CVE-2026-41569](../../security/cves/CVE-2026-41569) (#22285)
+- security: [CVE-2026-41577](https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2) (#22286)
+- security: [CVE-2026-42849](../../security/cves/CVE-2026-42849) (#22287)
+- internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.2 (#22288)
+- internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2026.2 (#22289)
+- internal: fix lint (#22263)
+- lib/sync/outgoing: avoid expensive query to get number of sync pages (cherry-pick #21575 to version-2026.2) (#21581)
+- packages/django-dramatiq-postgres: reset db connections in raise_connection_error (cherry-pick #21577 to version-2026.2) (#21599)
+- packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error (cherry-pick #22110 to version-2026.2) (#22127)
+- providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2026.2) (#21748)
+- providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2026.2) (#21799)
+- providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2026.2) (#21750)
+- providers/oauth2: fix time logic in refresh_token_threshold (cherry-pick #21537 to version-2026.2) (#21598)
+- providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2026.2) (#21828)
+- rbac: ensure migration 0056 runs before 0010 removes group field (cherry-pick #21964 to version-2026.2) (#22033)
+- release: 2026.2.3-rc1
+- root: update django to 5.2.14 (cherry-pick #22064 to version-2026.2) (#22066)
+- tenants/settings: present unset flags as `False` (cherry-pick #22162 to version-2026.2) (#22164)
+- web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2026.2) (#21473)
+- web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2026.2) (#21627)
+- web/packages: Rework SFE rendering (cherry-pick #21833 to version-2026.2) (#21850)
+
 ## API Changes
 
 ### authentik (v2026.2.0)