d7dedc86d2
release: 2026.2.4
2026-05-28 15:02:04 +00:00
0bdb728540
security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-2026.2 ( #22728 )
2026-05-28 14:15:42 +00:00
f2ddd2ac0b
security: automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-2026.2 ( #22727 )
2026-05-28 14:15:11 +00:00
1224296fe1
security: automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-2026.2 ( #22726 )
2026-05-28 14:14:59 +00:00
fbc8fdd807
tenants: fix test teardown (version-2026.2) ( #22715 )
2026-05-28 11:51:28 +00:00
52c0f8f4af
ci: fix docs not having correct js version setup (2026.2) ( #22716 )
2026-05-28 11:50:52 +00:00
ff0951d8fe
core: fix filter_not_expired not accepting positional arguments ( #22690 )
2026-05-27 22:43:09 +02:00
d9f7b5c45a
providers/radius: fix eap debug logging (cherry-pick #22551 to version-2026.2) ( #22578 )
2026-05-26 23:31:29 +02:00
eb5551abd9
endpoints/connectors/agent: allow federated auth via ssh hostkey lookup (cherry-pick #22594 to version-2026.2) ( #22596 )
2026-05-26 23:31:09 +02:00
df663b16de
core: bump goauthentik/fips-python from 3.14.3-slim-trixie-fips to 3.14.5-slim-trixie-fips in /lifecycle/container (cherry-pick #22518 to version-2026.2) ( #22528 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-21 14:38:18 +02:00
d9846e1de8
website/docs: add global to values.yaml snippets and update version (cherry-pick #22524 to version-2026.2) ( #22530 )
...
website/docs: add global to values.yaml snippets and update version (#22524 )
Add global to values.yaml snippets and update version
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-05-21 11:50:39 +00:00
5741e25c6a
outposts: fix stale version in OutpostState (cherry-pick #22487 to version-2026.2) ( #22504 )
...
outposts: fix stale version in OutpostState (#22487 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-05-20 18:09:46 +02:00
9a35e8b00a
enterprise/stages/mtls: attempt fix freezegun (cherry-pick #22474 to version-2026.2) ( #22500 )
...
enterprise/stages/mtls: attempt fix freezegun (#22474 )
* enterprise/stages/mtls: attempt fix freezegun
* emil's fix
* Revert "enterprise/stages/mtls: attempt fix freezegun"
This reverts commit 8963dac3bc090ab760b6jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-05-20 14:42:16 +02:00
32122d7f43
enterprise/stages/mtls: freeze time for expired certs (cherry-pick #22411 to version-2026.2) ( #22414 )
...
enterprise/stages/mtls: freeze time for expired certs (#22411 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-05-18 18:53:30 +02:00
7cc6101f76
website/docs: fix email link in CVE-2026-40166 (cherry-pick #22331 to version-2026.2) ( #22333 )
...
website/docs: fix email link in CVE-2026-40166 (#22331 )
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-13 16:59:48 +02:00
3987378058
endpoints: remove print line (cherry-pick #22325 to version-2026.2) ( #22326 )
...
endpoints: remove `print` line (#22325 )
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-05-13 13:50:53 +02:00
095e2897d5
release: 2026.2.3
2026-05-12 19:54:00 +00:00
8f349f4239
website/docs: release notes for 2025.12.5 and 2026.2.3 (cherry-pick #22310 to version-2026.2) ( #22312 )
...
* website/docs: release notes for 2025.12.5 and 2026.2.3 (#22310 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix typo
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-05-12 21:11:41 +02:00
6a33e842c6
internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.2 ( #22288 )
...
Automated internal backport of patch GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 20:13:03 +02:00
c63fb676aa
internal: Automated internal backport: CVE-2026-40165.sec.patch to authentik-2026.2 ( #22282 )
...
Automated internal backport of patch CVE-2026-40165.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:35:27 +02:00
441f65c9e4
internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-2026.2 ( #22283 )
...
Automated internal backport of patch CVE-2026-40166.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:35:22 +02:00
c4b8c7f25e
internal: Automated internal backport: CVE-2026-40172.sec.patch to authentik-2026.2 ( #22284 )
...
Automated internal backport of patch CVE-2026-40172.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:35:16 +02:00
2a988bf855
internal: Automated internal backport: CVE-2026-41569.sec.patch to authentik-2026.2 ( #22285 )
...
Automated internal backport of patch CVE-2026-41569.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:35:10 +02:00
8f13d81a9f
internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-2026.2 ( #22286 )
...
Automated internal backport of patch CVE-2026-41577.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:35:04 +02:00
c1ada8edc0
internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-2026.2 ( #22287 )
...
Automated internal backport of patch CVE-2026-42849.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:34:57 +02:00
b3529b4fd5
internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2026.2 ( #22289 )
...
Automated internal backport of patch GHSA-973w-j457-rp2m.sec.patch to authentik-2026.2
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 19:34:51 +02:00
19f42edd29
internal: fix lint ( #22263 )
2026-05-12 13:06:44 +02:00
2915c252ea
events: fix destination_group_obj not being nullable (cherry-pick #22161 to version-2026.2) ( #22165 )
...
* Cherry-pick #22161 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22161
Original commit: e220d8e29b28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io >
2026-05-12 10:00:15 +02:00
3013818d47
tenants/settings: present unset flags as False (cherry-pick #22162 to version-2026.2) ( #22164 )
...
* Cherry-pick #22162 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22162
Original commit: 9f613a333728359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io >
2026-05-12 09:59:55 +02:00
56826a6a65
packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error (cherry-pick #22110 to version-2026.2) ( #22127 )
...
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-07 18:37:38 +02:00
417e8b8538
root: update django to 5.2.14 (cherry-pick #22064 to version-2026.2) ( #22066 )
...
Cherry-pick #22064 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22064
Original commit: 6be7b2f7b7jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-05-06 17:58:03 +02:00
7af9e98079
rbac: ensure migration 0056 runs before 0010 removes group field (cherry-pick #21964 to version-2026.2) ( #22033 )
...
fix(rbac): ensure migration 0056 runs before 0010 removes group field (#21964 )
fix(rbac): ensure migration 0056 runs before group field is removed
Migration 0010 removes the `group` FK from the Role model, but
migration 0056 (authentik_core) queries `group_id` on Role as part of
a data migration to move guardian permissions to RBAC roles.
When upgrading from 2025.x, Django's migration executor can schedule
0010 before 0056 because neither depends on the other — only 0056
depends on 0008. This causes a FieldError at runtime:
Cannot resolve keyword 'group_id' into field.
Adding 0056 as a dependency of 0010 enforces the correct ordering:
the data migration that reads `group_id` must complete before the
schema migration that removes it.
Co-authored-by: Chris <cxm6467@gmail.com >
2026-05-04 18:06:55 +02:00
51901c82ba
core: fix search for app entitlements failing (cherry-pick #21944 to version-2026.2) ( #21988 )
...
Co-authored-by: Jens L. <jens@goauthentik.io >
fix search for app entitlements failing (#21944 )
2026-04-30 11:59:01 +00:00
ff653005e4
web/packages: Rework SFE rendering (cherry-pick #21833 to version-2026.2) ( #21850 )
...
* Cherry-pick #21833 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21833
Original commit: b66024f26fjens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-27 14:41:38 +02:00
9b64d05e35
providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2026.2) ( #21828 )
...
providers/radius: fix message authenticator validation (#21824 )
* providers/radius: fix message authenticator validation
* fix panic
* send message auth
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-25 21:13:53 +02:00
99a93fa8a2
website/docs: improve social login docs titles (cherry-pick #21816 to version-2026.2) ( #21818 )
...
website/docs: improve social login docs titles (#21816 )
* website/docs: improve social login docs titles
* sigh twitter
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-24 15:58:48 +00:00
bd2a0e1d7d
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2026.2) ( #21799 )
...
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (#21701 )
* providers/oauth2: clip device authorization scope against the provider's ScopeMapping set
DeviceView.parse_request stored the raw request scope straight onto the
DeviceToken:
self.scopes = self.request.POST.get("scope", "").split(" ")
...
token = DeviceToken.objects.create(..., _scope=" ".join(self.scopes))
The token-exchange side then reads those scopes back directly:
if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
refresh_token = RefreshToken(...)
...
so a caller that adds offline_access to the device authorization
request body gets a refresh_token at the exchange, even when the
provider has no offline_access ScopeMapping configured. Every other
grant type clips scope against ScopeMapping for the provider inside
TokenParams.__check_scopes, but the device authorization endpoint
runs before TokenParams is ever constructed, so the clip never
happens for the device flow.
Combined with #20828 (missing client_secret verification on device
code exchange for confidential clients, now being fixed separately)
and the lack of per-app opt-out for the device flow, this gives any
caller that knows the client_id a path to an offline refresh token
against any OIDC application the deployment exposes.
Intersect the requested scope set with the provider's ScopeMapping
names before we ever persist the DeviceToken. offline_access that is
not configured is silently dropped, matching __check_scopes on the
other grant types. Configured offline_access still flows through
unchanged.
Fixes #20825
* rework and add tests
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Sai Asish Y <say.apm35@gmail.com >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 15:25:14 +02:00
c4d455dd3a
website/docs: add authorization header info to all proxy configs (cherry-pick #21664 to version-2026.2) ( #21786 )
...
website/docs: add authorization header info to all proxy configs (#21664 )
Add authorization header info to all proxy configs
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-23 11:52:05 +00:00
508dba6a04
ci: fix postgres path for postgres 18 tests (2026.2) ( #21767 ) ( #21789 )
...
ci: fix postgres path for postgres 18 tests (#21767 )
* ci: test migrations-from-stable failing
* fix postgres path
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 10:40:38 +02:00
aa921dcdca
providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2026.2) ( #21750 )
...
Cherry-pick #21746 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21746
Original commit: 189056e19ajens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-21 18:20:15 +02:00
e5d873c129
providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2026.2) ( #21748 )
...
Cherry-pick #21513 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21513
Original commit: c84c8d86f8jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-21 17:20:01 +02:00
f0a14d380f
web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2026.2) ( #21627 )
...
web/flows: prevent leader tab deadlock in continuous login flow (#21583 )
* prevent leader tab deadlock in continuous login flow
* web: Continuous login tidy.
---------
Co-authored-by: Ryan Pesek <44002516+ryanpesek@users.noreply.github.com >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-04-16 13:22:30 +00:00
1da15a549e
website/docs: remove broken version tag from oauth doc (cherry-pick #21628 to version-2026.2) ( #21629 )
...
website/docs: remove broken version tag from oauth doc (#21628 )
Remove broken tag
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-15 19:44:28 +00:00
eaf1c45ea6
website/docs: add a single page about our user interface, document Consent stage (cherry-pick #20533 to version-2026.2) ( #21619 )
...
* Cherry-pick #20533 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20533
Original commit: a6c5540369tanamarieberry@yahoo.com >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-15 10:08:42 +00:00
f0f42668c4
blueprints: fix reconcile calling @property (cherry-pick #21576 to version-2026.2) ( #21616 )
...
blueprints: fix reconcile calling @property (#21576 )
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: João C. Fernandes <jfernandes@cloudflare.com >
2026-04-15 11:35:37 +02:00
123fbd26bb
providers/oauth2: fix time logic in refresh_token_threshold (cherry-pick #21537 to version-2026.2) ( #21598 )
...
* providers/oauth2: fix time logic in refresh_token_threshold (#21537 )
* providers/oauth2: fix time logic in refresh_token_threshold
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix flaky tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-15 11:07:17 +02:00
b94d93b6c4
packages/django-dramatiq-postgres: reset db connections in raise_connection_error (cherry-pick #21577 to version-2026.2) ( #21599 )
...
Co-authored-by: João C. Fernandes <jfernandes@cloudflare.com >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-04-14 15:26:17 +02:00
d0b25bf648
lib/sync/outgoing: avoid expensive query to get number of sync pages (cherry-pick #21575 to version-2026.2) ( #21581 )
...
lib/sync/outgoing: avoid expensive query to get number of sync pages (#21575 )
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: João C. Fernandes <jfernandes@cloudflare.com >
2026-04-14 00:51:31 +02:00
d4db4e50b4
website/docs: add another sentence to First Steps about restricting access to apps (cherry-pick #21517 to version-2026.2) ( #21542 )
...
website/docs: add another sentence to First Steps about restricting access to apps (#21517 )
* add another sentence about restricting access to apps
* tweaks
* Update website/docs/install-config/first-steps/index.mdx
* Lint fix
---------
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-13 04:42:33 -05:00
c5e726d7eb
endpoints: fix tasks failing (cherry-pick #20904 to version-2026.2) ( #21538 )
...
endpoints: fix tasks failing (#20904 )
* endpoints: fix tasks failing
* fix
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-10 16:15:55 +02:00
authentik-automation[bot]
Simonyi Gergő
Jens L.