authentik

version/2026.2.4 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 6d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client

+10 more

oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 6d

The release applies security patches from GHSA advisories and includes several bug‑fixes across core components, MTLS handling, RADIUS logging, and documentation.

Why it matters: Security patches from GHSA advisories address critical vulnerabilities; apply the update immediately to mitigate risks.

Summary

AI summary

Updates website/docs, enterprise/stages/mtls, and core across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Applies security patches from GHSA advisories. Applies security patches from GHSA advisories. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Allows federated authentication via SSH host‑key lookup. Allows federated authentication via SSH host‑key lookup. Source: llm_adapter@2026-05-28 Confidence: high	—
Dependency	Low	Bumps goauthentik/fips-python from 3.14.3 to 3.14.5. Bumps goauthentik/fips-python from 3.14.3 to 3.14.5. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes EAP debug logging in RADIUS provider. Fixes EAP debug logging in RADIUS provider. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes filter_not_expired to accept positional arguments. Fixes filter_not_expired to accept positional arguments. Source: llm_adapter@2026-05-28 Confidence: low	—
Bugfix	Low	Fixes stale version reporting in OutpostState. Fixes stale version reporting in OutpostState. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Freezes time handling for expired MTLS certificates. Freezes time handling for expired MTLS certificates. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Attempts to resolve freezegun issue in MTLS stage. Attempts to resolve freezegun issue in MTLS stage. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Corrects email link in CVE-2026-40166 documentation. Corrects email link in CVE-2026-40166 documentation. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Updates version and adds global setting in Helm values.yaml snippets. Updates version and adds global setting in Helm values.yaml snippets. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

See https://docs.goauthentik.io/docs/releases/2026.2#fixed-in-202624

What's Changed

endpoints: remove print line (cherry-pick #22325 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22326
website/docs: fix email link in CVE-2026-40166 (cherry-pick #22331 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22333
enterprise/stages/mtls: freeze time for expired certs (cherry-pick #22411 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22414
enterprise/stages/mtls: attempt fix freezegun (cherry-pick #22474 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22500
outposts: fix stale version in OutpostState (cherry-pick #22487 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22504
website/docs: add global to values.yaml snippets and update version (cherry-pick #22524 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22530
core: bump goauthentik/fips-python from 3.14.3-slim-trixie-fips to 3.14.5-slim-trixie-fips in /lifecycle/container (cherry-pick #22518 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22528
endpoints/connectors/agent: allow federated auth via ssh hostkey lookup (cherry-pick #22594 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22596
providers/radius: fix eap debug logging (cherry-pick #22551 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22578
core: fix filter_not_expired not accepting positional arguments (2026.2) by @BeryJu in https://github.com/goauthentik/authentik/pull/22690
ci: fix docs not having correct js version setup (2026.2) by @BeryJu in https://github.com/goauthentik/authentik/pull/22716
tenants: fix test teardown (version-2026.2) by @gergosimonyi in https://github.com/goauthentik/authentik/pull/22715
security: automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22726
security: automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22727
security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22728

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2026.2.3...version/2026.2.4

Security Fixes

CVE-2026-40166 — fixed email link vulnerability
GHSA-c3m2-jqmq-pvp3.sec.patch — internal security patch applied
GHSA-wr38-7xg8-fqxr.sec.patch — internal security patch applied
GHSA-xp7f-xjjx-gwm8.sec.patch — internal security patch applied

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

About authentik

The authentication glue you need.

All releases →