authentik

version/2026.5.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client

+10 more

oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

ReleasePort's take

Moderate signal

editorial:auto 12d

The release corrects several documentation typos and updates SAML provider behavior; it also adds interactive OAuth2 support for SCIM in enterprise configurations.

Why it matters: Fixes certificate typo, audience import, XML handling, UI link removal, MTLS time freezing, freezegun issues, version reference, gitignore entries, and documentation typos—critical for security‑sensitive SAML flows and accurate docs.

Summary

AI summary

Broad release touches website/docs, providers/saml, website/integrations, and enterprise/stages/mtls.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Adds support for interactive OAuth2 in SCIM provider. Adds support for interactive OAuth2 in SCIM provider. Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Adds sls entry to SAML overview documentation. Adds sls entry to SAML overview documentation. Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Updates name from application dashboard in web and website UI. Updates name from application dashboard in web and website UI. Source: llm_adapter@2026-05-22 Confidence: low	—
Dependency	Medium	Bumps goauthentik/fips‑python from 3.14.3‑slim‑trixie‑fips to 3.14.5‑slim‑trixie‑fips. Bumps goauthentik/fips‑python from 3.14.3‑slim‑trixie‑fips to 3.14.5‑slim‑trixie‑fips. Source: llm_adapter@2026-05-22 Confidence: low	—
Performance	Medium	Fetches table data on first render when already visible. Fetches table data on first render when already visible. Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix
Bugfix	Medium	Fixes issue where default user path is not preferred. Fixes issue where default user path is not preferred. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Correctly imports audience from SAML metadata. Correctly imports audience from SAML metadata. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Handles XML declarations in unified SAML endpoint. Handles XML declarations in unified SAML endpoint. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Fixes certificate typo in events module. Fixes certificate typo in events module. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Removes sp binding field from integration configuration. Removes sp binding field from integration configuration. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Removes link to overview for non‑internal users in flows UI. Removes link to overview for non‑internal users in flows UI. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Freezes time handling for expired MTLS certificates. Freezes time handling for expired MTLS certificates. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Attempts fix for freezegun issues in MTLS stages. Attempts fix for freezegun issues in MTLS stages. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Corrects stale version reference in OutpostState. Corrects stale version reference in OutpostState. Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Corrects gitignore binary path entries. Corrects gitignore binary path entries. Source: llm_adapter@2026-05-22 Confidence: high	—
Refactor
Refactor	Medium	Updates UI terms in providers documentation. Updates UI terms in providers documentation. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Adds first batch of updates for new Binding wizard documentation. Adds first batch of updates for new Binding wizard documentation. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Updates release notes to include integrations section. Updates release notes to include integrations section. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Fixes typo and style issues in website documentation. Fixes typo and style issues in website documentation. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Removes `print` line from endpoints implementation. Removes `print` line from endpoints implementation. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Updates all integration guides to match auto‑generated issuer. Updates all integration guides to match auto‑generated issuer. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Configures freezegun to exclude cryptography module. Configures freezegun to exclude cryptography module. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Adds invitation wizard documentation section. Adds invitation wizard documentation section. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Adds absorb LMS entry to integrations release notes. Adds absorb LMS entry to integrations release notes. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Updates SAML source documentation with force authentication details. Updates SAML source documentation with force authentication details. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Adds global entry to values.yaml snippets and updates version info. Adds global entry to values.yaml snippets and updates version info. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Adds section about package reduction in 2026.5 release notes. Adds section about package reduction in 2026.5 release notes. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Fixes email link in CVE‑2026‑40166 documentation. Fixes email link in CVE‑2026‑40166 documentation. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Corrects performance improvements wording in 2026.5 release notes. Corrects performance improvements wording in 2026.5 release notes. Source: llm_adapter@2026-05-22 Confidence: low	—
Refactor	Medium	Updates SAML docs endpoint information. Updates SAML docs endpoint information. Source: llm_adapter@2026-05-22 Confidence: low	—

Full changelog

See https://docs.goauthentik.io/docs/releases/2026.5

What's Changed

endpoints: remove print line (cherry-pick #22325 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22327
website/docs: release notes 2026.5: add section about package reduction (cherry-pick #22308 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22324
website/docs: fix email link in CVE-2026-40166 (cherry-pick #22331 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22334
enterprise/providers/scim: add support for interactive OAuth2 (cherry-pick #22072 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22337
website/docs: fix typos and style issues (cherry-pick #22141 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22189
website/integrations: Update all guides to match auto generated issuer (cherry-pick #22180 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22346
website/integrations: remove sp binding field (cherry-pick #22200 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22348
website/docs: 2026.5 release notes: fix performance improvements wording (cherry-pick #22307 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22309
web: Fix issue where default user path is not preferred. (cherry-pick #22139 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22364
website/docs: Add invitation wizard docs (cherry-pick #22069 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22316
website/docs, integrations: SAML docs endpoint updates (cherry-pick #22197 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22347
providers/saml: Add sls to saml overview (cherry-pick #22183 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22368
flows: remove link to overview for non-internal user (cherry-pick #22362 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22371
enterprise/stages/mtls: freeze time for expired certs (cherry-pick #22411 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22415
website: Docs and README new screenshots (cherry-pick #22341 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22441
web, website: Update name to application dashboard (cherry-pick #22190 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22374
web/table: fetch on first render when already visible (cherry-pick #22376 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22438
website/docs: providers: update UI terms (cherry-pick #22136 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22443
providers/saml: Properly import audience from metadata. (cherry-pick #22181 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22449
website/docs: add integrations to 2026.5 release notes (cherry-pick #22416 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22444
root: configure freezegun to exclude cryptography (cherry-pick #22442 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22448
website/docs: first batch of updates for new Binding wizard (cherry-pick #22393 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22450
root: fix gitignore binary paths (cherry-pick #22445 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22485
enterprise/stages/mtls: attempt fix freezegun (cherry-pick #22474 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22501
outposts: fix stale version in OutpostState (cherry-pick #22487 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22505
website/docs: update saml source to include details on force authenti… (cherry-pick #22488 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22510
website/docs: add global to values.yaml snippets and update version (cherry-pick #22524 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22531
core: bump goauthentik/fips-python from 3.14.3-slim-trixie-fips to 3.14.5-slim-trixie-fips in /lifecycle/container (cherry-pick #22518 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22529
website/docs: release notes: add absorb lms to integrations (cherry-pick #22534 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22537
providers/saml: handle XML declarations in unified endpoint (cherry-pick #22455 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22539
events: fix certificate typo (cherry-pick #22542 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22547
website/release: Release notes updates (cherry-pick #22543 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22545

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2026.5.0-rc2...version/2026.5.0

Security Fixes

CVE-2026-40166

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

About authentik

The authentication glue you need.

All releases →