Skip to content

authentik

version/2025.12.5 Security

This release includes 7 security fixes for security teams reviewing exposed deployments.

Published 22d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 7 known CVEs

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client
+10 more
oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 13d

Authentik version 2025.12.5 applies fixes for CVE‑2026‑41577, CVE‑2026‑40172, CVE‑2026‑40166, CVE‑2026‑40165 and CVE‑2026‑42849.

Why it matters: Patch to version 2025.12.5 immediately; the release resolves five security vulnerabilities (CVEs) with high severity impact.

Summary

AI summary

CVE‑2026‑41577, CVE‑2026‑40172, CVE‑2026‑40166, CVE‑2026‑40165 and CVE‑2026‑42849 security patches applied.

Changes in this release

Security Medium

Fix security vulnerability GHSA-973w-j457-rp2m

Fix security vulnerability GHSA-973w-j457-rp2m

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fix security vulnerability GHSA-5wcc-hf24-rf5h

Fix security vulnerability GHSA-5wcc-hf24-rf5h

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

CVE-2026-41577 fix applied

CVE-2026-41577 fix applied

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Add continuous login flow 2025.12

Add continuous login flow 2025.12

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Bump Django from 5.2.12 to 5.2.13

Bump Django from 5.2.12 to 5.2.13

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Add ES384 algorithm support in enterprise license

Add ES384 algorithm support in enterprise license

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Bump cbor2 from 5.8.0 to 5.9.0

Bump cbor2 from 5.8.0 to 5.9.0

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fix locale selector in compatibility mode

Fix locale selector in compatibility mode

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Avoid infinite recursion in stage with unsupported connector

Avoid infinite recursion in stage with unsupported connector

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Add Object.assign polyfill for IE11 support

Add Object.assign polyfill for IE11 support

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fix redirect for SAML Single Logout (SLO)

Fix redirect for SAML Single Logout (SLO)

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Prevent leader tab deadlock in continuous login flow

Prevent leader tab deadlock in continuous login flow

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Handle non-string values in formatUUID to prevent Event Log crash

Handle non-string values in formatUUID to prevent Event Log crash

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Avoid implicitly setting context from login_failed event

Avoid implicitly setting context from login_failed event

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Rework SFE rendering

Rework SFE rendering

Source: llm_adapter@2026-05-21

Confidence: low
Refactor Medium

Make HTTP timeouts configurable

Make HTTP timeouts configurable

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025125

What's Changed

  • website/docs: 2025.10.4 release notes (cherry-pick #20242 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20250
  • website/docs: 2025.12.4 release notes (cherry-pick #20226 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20252
  • website/docs: 2025.8.6 release notes (cherry-pick #20243 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20256
  • ci: fix binary outpost build on release (cherry-pick #20248 to version-2025.12) by @rissson in https://github.com/goauthentik/authentik/pull/20280
  • website/docs: add okta source doc (cherry-pick #20296 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20334
  • root: do not rely on npm cli for version bump (cherry-pick #20276 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20320
  • ci: fix setup altering package-lock (cherry-pick #20348 to version-2025.12) by @rissson in https://github.com/goauthentik/authentik/pull/20355
  • website/docs: Custom CSS (cherry-pick #19991 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20286
  • web: Fix locale selector in compatibility mode. (cherry-pick #19946 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20088
  • sources/saml: update handling statusmessage (cherry-pick #19739 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20066
  • website/docs: Fix broken link to flow executor (cherry-pick #20364 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20369
  • ci: pull latest changes before tagging new version (cherry-pick #20413 to version-2025.12) by @rissson in https://github.com/goauthentik/authentik/pull/20415
  • website/docs: rac: update rac provider docs (cherry-pick #20225 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20336
  • stages/user_login: log correct user when session binding is broken (cherry-pick #20094 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20452
  • policies: measure policy process from manager (cherry-pick #20477 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20480
  • website/docs: fix GitHub social-login wording and capitalization (cherry-pick #20489 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20504
  • enterprise: add ES384 to enterprise license algorithms (cherry-pick #20507 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20509
  • endpoints: fix infinite recursion in stage with unsupported connector (cherry-pick #20485 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20513
  • website/docs: fix linux setup docs (cherry-pick #20508 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20516
  • providers/oauth2: deactivate locale after testing (cherry-pick #20518 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20525
  • policies: fix PolicyEngineMode ALL with static binding optimization (cherry-pick #20430 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20523
  • website/docs: remove bad logs redirect (cherry-pick #20522 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20547
  • internal: make http timeouts configurable (cherry-pick #20472 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20566
  • web/sfe: bug: polyfill needed to supply Object.assign() to IE11. (cherry-pick #20126 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20136
  • website/docs: kerberos: add note about caching (cherry-pick #20663 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20665
  • providers/proxy: move search path to query instead of runtime parameter (cherry-pick #20662 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20692
  • core: bump django from 5.2.11 to 5.2.12 (cherry-pick #20719 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20737
  • web/admin: Fix SCIM page_size UI issue (cherry-pick #20890 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20928
  • web/flows: add continuous flow 2025.12 by @BeryJu in https://github.com/goauthentik/authentik/pull/20362
  • web/admin: fix missing OSM referrerPolicy header (cherry-pick #20984 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20989
  • flows: continous login debug 2025.12 by @BeryJu in https://github.com/goauthentik/authentik/pull/21044
  • web/admin: handle non-string values in formatUUID to prevent Event Log crash (cherry-pick #20804 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21051
  • events: avoid implicitly setting context from login_failed event (cherry-pick #21045 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21049
  • docs: Add note on skipping object syncing (cherry-pick #20882 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/20893
  • ci: fix escaping in cherry-pick action (#21082) by @BeryJu in https://github.com/goauthentik/authentik/pull/21084
  • ci: rotate GH App private key (version-2025.12) by @BeryJu in https://github.com/goauthentik/authentik/pull/21086
  • core: bump cbor2 from 5.8.0 to 5.9.0 (cherry-pick #21094 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21095
  • sources/ldap: fix exception in ldap debug endpoint (cherry-pick #21219 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21220
  • proviers/ldap: avoid concurrent header writes in API Client (cherry-pick #21223 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21227
  • website/docs: add example recovery flow with MFA (cherry-pick #19497 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21304
  • ci: allow setting working directory for setup action (2025.12) by @BeryJu in https://github.com/goauthentik/authentik/pull/21331
  • root: fix compose generation for patch releases release candidates (cherry-pick #21353 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21354
  • providers/saml: Fix redirect for saml slo (cherry-pick #21258 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21283
  • web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21626
  • core: bump django from v5.2.12 to 5.2.13 (cherry-pick #21520 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21525
  • providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21749
  • providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21747
  • ci: fix postgres path for postgres 18 tests (2025.12) (#21767) by @BeryJu in https://github.com/goauthentik/authentik/pull/21788
  • providers/oauth2: device code flow client id via auth header (cherry-pick #20457 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21803
  • providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21798
  • providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21827
  • web/packages: Rework SFE rendering (cherry-pick #21833 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21851
  • web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21472
  • root: update django to 5.2.14 (cherry-pick #22064 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22065
  • internal: fix lint (cherry-pick #22263 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22306
  • internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22281
  • internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22280
  • internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22278
  • internal: Automated internal backport: CVE-2026-40172.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22277
  • internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22276
  • internal: Automated internal backport: CVE-2026-40165.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22275
  • internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22279
  • website/docs: release notes for 2025.12.5 and 2026.2.3 (cherry-pick #22310 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22311

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2025.12.4...version/2025.12.5

Security Fixes

  • GHSA-973w-j457-rp2m — security patch applied
  • GHSA-5wcc-hf24-rf5h — security patch applied
  • CVE-2026-41577 — security vulnerability patched
  • CVE-2026-40172 — security vulnerability patched
  • CVE-2026-40166 — security vulnerability patched
  • CVE-2026-40165 — security vulnerability patched
  • CVE-2026-42849 — security vulnerability patched
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

Sign up free

About authentik

The authentication glue you need.

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]