Skip to content

authentik

version/2026.5.2 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 6d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

authentication authentik authorization kubernetes oauth2 oauth2-client
+10 more
oauth2-server oidc oidc-client oidc-provider proxy saml saml-idp saml-sp security sso

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 6d

Authentik version 2026.5.2 applies three high‑severity security patches (GHSA-c3m2-jqmq-pvp3, GHSA-wr38-7xg8-fqxr, GHSA-xp7f-xjjx-gwm8).

Why it matters: Patches address critical vulnerabilities with severity scores near 100; deploy the update immediately to mitigate high‑risk exploits.

Summary

AI summary

Updates website/docs, packages/ak-common/db, and root across a mixed release.

Changes in this release

Security Critical

Applies security patches GHSA-c3m2-jqmq-pvp3, GHSA-wr38-7xg8-fqxr, and GHSA-xp7f-xjjx-gwm8.

Applies security patches GHSA-c3m2-jqmq-pvp3, GHSA-wr38-7xg8-fqxr, and GHSA-xp7f-xjjx-gwm8.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Adds support for federated authentication via SSH host‑key lookup in the Agent connector.

Adds support for federated authentication via SSH host‑key lookup in the Agent connector.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes OAuth2 session decode issue when upgrading from version 2026.2.

Fixes OAuth2 session decode issue when upgrading from version 2026.2.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes Event.log_deprecation check to ensure cause is a string.

Fixes Event.log_deprecation check to ensure cause is a string.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes conn_max_age causing spinning in ak-common DB package.

Fixes conn_max_age causing spinning in ak-common DB package.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Allows certificates options to accept file paths in ak-common DB package.

Allows certificates options to accept file paths in ak-common DB package.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixes RADIUS provider EAP debug logging.

Fixes RADIUS provider EAP debug logging.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Low

Updates security release version references.

Updates security release version references.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Low

Fixes release notes cards on the website.

Fixes release notes cards on the website.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Low

Bumps package‑lock file in the website docs.

Bumps package‑lock file in the website docs.

Source: llm_adapter@2026-05-28

Confidence: high
Full changelog

See https://docs.goauthentik.io/docs/releases/2026.5#fixed-in-202652

What's Changed

  • website/docs: Fix release notes cards (cherry-pick #22554 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22555
  • root: update security release versions (cherry-pick #22583 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22591
  • endpoints/connectors/agent: allow federated auth via ssh hostkey lookup (cherry-pick #22594 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22597
  • website/docs: Bump package-lock by @GirlBossRush in https://github.com/goauthentik/authentik/pull/22552
  • providers/radius: fix eap debug logging (cherry-pick #22551 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22579
  • events: fix Event.log_deprecation not checking that cause is a string (cherry-pick #22598 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22683
  • packages/ak-common/db: fix conn_max_age causing spinning (cherry-pick #22679 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22686
  • packages/ak-common/db: fix certificates options not allowing file paths (cherry-pick #22680 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22685
  • providers/oauth2: fix session decode when upgrading from 2026.2 (cherry-pick #22684 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22692
  • enterprise/providers/scim: fix last_updated for OAuth interactive (cherry-pick #22678 to version-2026.5) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22700
  • security: automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-2026.5 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22729
  • security: automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-2026.5 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22730
  • security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-2026.5 by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/22731

Full Changelog: https://github.com/goauthentik/authentik/compare/version/2026.5.0...version/2026.5.2

Security Fixes

  • GHSA-c3m2-jqmq-pvp3 — automated internal backport patch
  • GHSA-wr38-7xg8-fqxr — automated internal backport patch
  • GHSA-xp7f-xjjx-gwm8 — automated internal backport patch
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authentik

Get notified when new releases ship.

Sign up free

About authentik

The authentication glue you need.

All releases →

Related context

Beta — feedback welcome: [email protected]