kanidm

2026-05-14 - Kanidm 1.9.4 Patch (Security: CRITICAL)

This update resolves 1 security issues which allows privilege escalation to be performed by any authenticated user. We have no evidence that this is in active exploitation.

• Security - Critical: Any authenticated user is able to modify the attributes of any entry they have read permissions over. This is due to a logic flaw in modification access control application. Since all authenticated users are able to read all groups and group members, any authenticated user is able to add themself to any privileged group resulting in complete compromise of the servers security boundaries.

Thanks to @kmq for the initial security report, and the Kanidm team for identifying the extended risk posed from the initial report.

2026-04-30 - Kanidm 1.9.3 Patch (Security: HIGH)

This update resolves 6 security issues, 2 of which allow unauthenticated remote Denial of Service. We have no evidence that these are in active exploitation or that user privacy or data was compromised.

• Security - High: SCIM Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user (@mbarbero)
• Security - Moderate: PNG Image validation did not correctly handle short images allowing a panic to occur in a worker thread. This may lead to system instability over time (@mbarbero)
• Security - Low: HTML injection via user DisplayName in Passkey enrolment dialogs. This allows an admin to execute JS in the context of a users browser. Since the admin already can reset the users credentials, the impact of this is minimal. (@mbarbero)
• Security - Low: non-constant time comparison of OAuth2 client secret may allow a remote attacker to remotely recovery the bytes of the secret. Due to the length of the secret (48 chars) this is infeasible practically. (@mbarbero)
• Security - Low: incorrect handling of origin validation in Webauthn-RS allowed a malicious domain to collide with a valid one (badexample.com would match with example.com). This is mitigated by browsers detecting the forgery and preventing the authentication from proceeding. (@dorakemon)
• Security - High: LDAP Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user (@firstyear due to @mbarbero's report on SCIM)

Thanks to @mbarbero and @dorakemon for their work in finding and reporting these issues, and the Kanidm team for triage, code review, and their ongoing support.

2026-03-13 - Kanidm 1.9.2 Patch

• Resolve incorrect handling of urlencoded client_ids in OAuth2
• Resolve incorrect parsing of ldap filters in ldap migration tools
• Remove thread local storage in nss_kanidm due to glibc limitations
• Disable multithreading on RADIUS when debug is disabled

2026-02-24 - Kanidm 1.9.1 Patch

• Warn users before leaving credential update page.
• Improve constraints on migrations feature to prevent users manipulating some critical system entries.

2026-02-17 - Kanidm 1.9.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.9.0 Important Changes

• An HJSON based entry migration framework has been introduced, allowing configuration management of database entries.
• Upgrade/Downgrade constraints are now stricter to prevent mistakes during administrative tasks.
• Service Accounts can issue OIDC/OAuth2 token using RFC8693 Token Exchange.
• CSS can be set by overriding a default file (override.css).
• Kanidmd now has a JSON scripting CLI, replacing the --output json CLI option.
• Service Account tokens now support a short-format for applications that can not process credentials greater than 128 characters.

1.9.0 Release Highlights

• Python API is now generated from OpenAPI definitions.
• Allow clearing of softlocks that are enforced on accounts.
• Add a scim-batch migration framework to allow entry management.
• Improvements to upgrade/downgrade testing and constraints.
• Add the ability to backup via stdout.
• Remove the mozilla webauthn authenticator backend.
• Add a truncated service account token format.
• Raise the maximum number of default queryable attributes in LDAP to support SSSD.
• Add support for RADIUS certificates to identify a user with the subjectAltName-DN type.
• Add a kanidmd command line scripting interface.
• Harden against errors when libnss_kanidm.so is used by a forking process.
• Allow overrides of CSS via a default file that can be overridden.
• Add an LDAP homeDirectory virtualAttribute for some RFC2307Bis Clients.
• Invalid password formats can be skipped during migration imports.
• Allow service desk to change account validity windows.
• Resolve an issue with ipa/ldap sync not correctly installing TLS providers.
• Prevent a server startup crash when the administrator forced a low log level.
• Support OIDC for service-accounts with RFC8693 Token Exchange.
• Resolve incorrect CSP headers in some OAuth2 situations.
• Improve support for concurrent pam sessions.
• Add a home directory strategy framework.
• Resolve an infinite loop in the command line authentication process.
• Ignore CredentialTypeMinimum during migrations to prevent potential AccountPolicy downgrades.
• Allow disabling the OAuth2 Consent Prompt for some applications.
• Improve debugging of IP address logging configuration.
• Force synchronisation of token privilege limetime to be bound by token life.
• Add the Kanidm Project Anthem. #3987
• Resolve a bug where upgrade version constraints were not correctly enforced.
• Improved environment variable parsing for server configuration.
• Improve upgrade documentation.
• Reduce proto crate dependencies.
• Attribute Uniquness conflicts now yield HTTP::BAD_REQUEST
• Improve diagnostics for invalid OAuth2 Client configurations.
• Home user directory symlinks are now conditionally updated.
• Improve UID/GID overlap messages to help administrators resolve issues during IAM migration.