Skip to content

authentik

version/2026.2.3 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 22d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 8 known CVEs

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client
+10 more
oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

Affected surfaces

deps

ReleasePort's take

Light signal
editorial:auto 13d

Authentik 2026.2.3 fixes time logic in OAuth2 refresh token threshold calculation, addressing CVE-2026-42849 and GHSA-5wcc-hf24-rf5h.

Why it matters: Authentik 2026.2.3 patches CVE-2026-42849 and GHSA-5wcc-hf24-rf5h affecting OAuth2 refresh token timing. Deploy patch immediately in production.

Summary

AI summary

Fixed time logic in OAuth2 refresh token threshold calculation.

Changes in this release

Security Medium

Fixes CVE-2026-42849, a security vulnerability.

Fixes CVE-2026-42849, a security vulnerability.

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Patch GHSA-5wcc-hf24-rf5h to address a security issue.

Patch GHSA-5wcc-hf24-rf5h to address a security issue.

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Allow cross‑provider token introspection for federated OAuth2 providers.

Allow cross‑provider token introspection for federated OAuth2 providers.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Dependency Low

Bump Django from 5.2.12 to 5.2.13 in core.

Bump Django from 5.2.12 to 5.2.13 in core.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Dependency Low

Update Django to 5.2.14 at project root.

Update Django to 5.2.14 at project root.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Performance Low

Avoid expensive query to get number of sync pages in lib/sync/outgoing.

Avoid expensive query to get number of sync pages in lib/sync/outgoing.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Medium

Fix tasks failing in endpoints.

Fix tasks failing in endpoints.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Medium

Fix time logic in refresh_token_threshold of OAuth2 provider.

Fix time logic in refresh_token_threshold of OAuth2 provider.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Medium

Prevent leader tab deadlock in continuous login flow in web/flows.

Prevent leader tab deadlock in continuous login flow in web/flows.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Medium

Clip device authorization scope against the provider's ScopeMapping set in OAuth2 provider.

Clip device authorization scope against the provider's ScopeMapping set in OAuth2 provider.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Medium

Fix search for app entitlements failing in core.

Fix search for app entitlements failing in core.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Reset DB connections in raise_connection_error for django-dramatiq-postgres package.

Reset DB connections in raise_connection_error for django-dramatiq-postgres package.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Fix reconcile calling @property in blueprints.

Fix reconcile calling @property in blueprints.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Don't auto‑set redirect_uri in OAuth2 provider configuration.

Don't auto‑set redirect_uri in OAuth2 provider configuration.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Fix message authenticator validation in RADIUS provider.

Fix message authenticator validation in RADIUS provider.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Ensure migration 0056 runs before 0010 removes group field in RBAC.

Ensure migration 0056 runs before 0010 removes group field in RBAC.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Avoid task processing stopping on decode error in django-dramatiq-postgres broker.

Avoid task processing stopping on decode error in django-dramatiq-postgres broker.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Bugfix Low

Fix destination_group_obj not being nullable in events module.

Fix destination_group_obj not being nullable in events module.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Refactor Low

Rework SFE rendering in web/packages.

Rework SFE rendering in web/packages.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Refactor Low

Present unset flags as `False` in tenants/settings.

Present unset flags as `False` in tenants/settings.

Source: granite4.1:30b@2026-05-23-audit

Confidence: low
Full changelog

See https://docs.goauthentik.io/docs/releases/2026.2#fixed-in-202623

What's Changed

  • core: bump django from v5.2.12 to 5.2.13 (cherry-pick #21520 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21526
  • endpoints: fix tasks failing (cherry-pick #20904 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21538
  • website/docs: add another sentence to First Steps about restricting access to apps (cherry-pick #21517 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21542
  • lib/sync/outgoing: avoid expensive query to get number of sync pages (cherry-pick #21575 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21581
  • packages/django-dramatiq-postgres: reset db connections in raise_connection_error (cherry-pick #21577 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21599
  • providers/oauth2: fix time logic in refresh_token_threshold (cherry-pick #21537 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21598
  • blueprints: fix reconcile calling @property (cherry-pick #21576 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21616
  • website/docs: add a single page about our user interface, document Consent stage (cherry-pick #20533 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21619
  • website/docs: remove broken version tag from oauth doc (cherry-pick #21628 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21629
  • web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21627
  • providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21748
  • providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21750
  • ci: fix postgres path for postgres 18 tests (2026.2) (#21767) by @BeryJu in https://github.com/goauthentik/authentik/pull/21789
  • website/docs: add authorization header info to all proxy configs (cherry-pick #21664 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21786
  • providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21799
  • website/docs: improve social login docs titles (cherry-pick #21816 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21818
  • providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21828
  • web/packages: Rework SFE rendering (cherry-pick #21833 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21850
  • core: fix search for app entitlements failing (cherry-pick #21944 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/21988
  • rbac: ensure migration 0056 runs before 0010 removes group field (cherry-pick #21964 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22033
  • root: update django to 5.2.14 (cherry-pick #22064 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22066
  • packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error (cherry-pick #22110 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22127
  • tenants/settings: present unset flags as False (cherry-pick #22162 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22164
  • events: fix destination_group_obj not being nullable (cherry-pick #22161 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22165
  • internal: fix lint by @gergosimonyi in https://github.com/goauthentik/authentik/pull/22263
  • internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22289
  • internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22287
  • internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22286
  • internal: Automated internal backport: CVE-2026-41569.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22285
  • internal: Automated internal backport: CVE-2026-40172.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22284
  • internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22283
  • internal: Automated internal backport: CVE-2026-40165.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22282
  • internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.2 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22288
  • website/docs: release notes for 2025.12.5 and 2026.2.3 (cherry-pick #22310 to version-2026.2) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22312

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2026.2.3-rc1...version/2026.2.3

Security Fixes

  • CVE-2026-42849
  • CVE-2026-41577
  • CVE-2026-41569
  • CVE-2026-40172
  • CVE-2026-40166
  • CVE-2026-40165
  • GHSA-973w-j457-rp2m
  • GHSA-5wcc-hf24-rf5h
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

Sign up free

About authentik

The authentication glue you need.

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]