Skip to content

authentik

version/2025.12.6 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 6d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client
+10 more
oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

Affected surfaces

auth crypto_tls

ReleasePort's take

Moderate signal
editorial:auto 6d

The release backports three security patches to authentik core.

Why it matters: Patches GHSA-wr38-7xg8-fqxr, GHSA-xp7f-xjjx-gwm8, and GHSA-c3m2-jqmq-pvp3 address critical vulnerabilities; upgrade immediately if affected.

Summary

AI summary

Updates enterprise/stages/mtls, website/docs, and root across a mixed release.

Changes in this release

Security Critical

Backports three security patches (GHSA-wr38-7xg8-fqxr, GHSA-xp7f-xjjx-gwm8, GHSA-c3m2-jqmq-pvp3).

Backports three security patches (GHSA-wr38-7xg8-fqxr, GHSA-xp7f-xjjx-gwm8, GHSA-c3m2-jqmq-pvp3).

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes stale version in OutpostState for outposts.

Fixes stale version in OutpostState for outposts.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Freezes time for expired certs in enterprise MTLS stages.

Freezes time for expired certs in enterprise MTLS stages.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Attempts fix for freezegun handling in enterprise MTLS stages.

Attempts fix for freezegun handling in enterprise MTLS stages.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Configures freezegun to exclude cryptography at root.

Configures freezegun to exclude cryptography at root.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes email link in CVE-2026-40166 documentation.

Fixes email link in CVE-2026-40166 documentation.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes docs not having correct JavaScript version setup in CI.

Fixes docs not having correct JavaScript version setup in CI.

Source: llm_adapter@2026-05-28

Confidence: low
Bugfix Medium

Fixes test teardown in tenants.

Fixes test teardown in tenants.

Source: llm_adapter@2026-05-28

Confidence: low
Full changelog

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025126

What's Changed

  • website/docs: fix email link in CVE-2026-40166 (cherry-pick #22331 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22332
  • enterprise/stages/mtls: freeze time for expired certs (cherry-pick #22411 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22413
  • root: configure freezegun to exclude cryptography (cherry-pick #22442 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22446
  • enterprise/stages/mtls: attempt fix freezegun (cherry-pick #22474 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22499
  • outposts: fix stale version in OutpostState (cherry-pick #22487 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22503
  • ci: fix docs not having correct js version setup (2025.12) by @BeryJu in https://github.com/goauthentik/authentik/pull/22717
  • tenants: fix test teardown (version-2025.12) by @gergosimonyi in https://github.com/goauthentik/authentik/pull/22714
  • security: automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22724
  • security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22725
  • security: automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-2025.12 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22723

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2025.12.5...version/2025.12.6

Security Fixes

  • CVE-2026-40166 — fixed email link in website/docs
  • GHSA-wr38-7xg8-fqxr — automated internal security patch
  • GHSA-xp7f-xjjx-gwm8 — automated internal security patch
  • GHSA-c3m2-jqmq-pvp3 — automated internal security patch
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

Sign up free

About authentik

The authentication glue you need.

All releases →

Related context

Beta — feedback welcome: [email protected]