kanidm releases

2026-05-07 - Kanidm 1.10.1 - Patch

• Resolve an incorrect javascript encoding of some fields that prevents new Webauthn enrolments from completing
• Correct incorrect text in TOTP CLI credential updates

2026-05-01 - Kanidm 1.10.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.10.0 Important Changes

• OpenSSL is no longer required as a dependency. All cryptographic paths have been replaced by RustCrypto or Rustls using aws-lc-rs.
• Kanidm-unixd now supports bind mounts as an alternative to symlinks for home mapping.
• Account recovery can be enabled as a feature allowing a user to prove knowledge of their own email, and then have a credential reset email sent to them.
  • Administrators can also trigger account recovery emails to be sent to users.

1.10.0 Release Highlights

• Security - High: SCIM Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user
• Security - High: LDAP Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user
• Security - Moderate: PNG Image validation did not correctly handle short images allowing a panic to occur in a worker thread. This may lead to system instability over time
• Security - Low: HTML injection via user DisplayName in Passkey enrolment dialogs. This allows an admin to execute JS in the context of a users browser. Since the admin already can reset the users credentials, the impact of this is minimal.
• Security - Low: non-constant time comparison of OAuth2 client secret may allow a remote attacker to remotely recovery the bytes of the secret. Due to the length of the secret (48 chars) this is infeasible practically.
• Security - Low: incorrect handling of origin validation in Webauthn-RS allowed a malicious domain to collide with a valid one (badexample.com would match with example.com). This is mitigated by browsers detecting the forgery and preventing the authentication from proceeding.
• 20260331 send account recovery emails (#4259)
• Invert incorrect thread count logic (#4294)
• Allow modification of OAuth2 Refresh Expiry (#4276)
• Introspection token auth metadata (#4230)
• Correctly handle deleted accounts during page visits (#4275)
• don't fail auth when passed ui_locales (#4288)
• Feat: Add OIDC Prompt Support (#4224)
• Handle multivalue URLs in SCIM (#4271)
• Correctly encode ssh tag values (#4272)
• Add .well-known/passkey-endpoints (#4255)
• show repl cert metadata and also handle socket timeouts (#4252)
• add dependency data to released containers (#4239)
• cli: allow clearing person's legalname attribute (#4228)
• OpenSSL shall be vanquished (#4219)
• add nsswitch config check to unixd (#4210)
• Added PasswordChangedTime attribute and database field (#3999)
• Improve FreeBSD building, fully drop ring as a dependency.
• credential reset emails (authenticated only) (#4151)
• feat: bind mount home strategy (#3997)
• Don't revert admin changes in some groups during migrcation (#4176)
• Alert on unsaved changes (#4155)
• Warn about systemd-userdb (#4147)
• Dont token introspection relies on token validity rather than basic auth (#4142)
• Feature OIDC updated at (#4007)
• Bye bye lazy static (#4134)
• Allow LDAP CA verification to be disabled in sync (#4133)

2026-05-01 - Kanidm 1.10.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.10.0 Important Changes

• OpenSSL is no longer required as a dependency. All cryptographic paths have been replaced by RustCrypto or Rustls using aws-lc-rs.
• Kanidm-unixd now supports bind mounts as an alternative to symlinks for home mapping.
• Account recovery can be enabled as a feature allowing a user to prove knowledge of their own email, and then have a credential reset email sent to them.
  • Administrators can also trigger account recovery emails to be sent to users.

1.10.0 Release Highlights

• Security - High: SCIM Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user
• Security - High: LDAP Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user
• Security - Moderate: PNG Image validation did not correctly handle short images allowing a panic to occur in a worker thread. This may lead to system instability over time
• Security - Low: HTML injection via user DisplayName in Passkey enrolment dialogs. This allows an admin to execute JS in the context of a users browser. Since the admin already can reset the users credentials, the impact of this is minimal.
• Security - Low: non-constant time comparison of OAuth2 client secret may allow a remote attacker to remotely recovery the bytes of the secret. Due to the length of the secret (48 chars) this is infeasible practically.
• Security - Low: incorrect handling of origin validation in Webauthn-RS allowed a malicious domain to collide with a valid one (badexample.com would match with example.com). This is mitigated by browsers detecting the forgery and preventing the authentication from proceeding.
• 20260331 send account recovery emails (#4259)
• Invert incorrect thread count logic (#4294)
• Allow modification of OAuth2 Refresh Expiry (#4276)
• Introspection token auth metadata (#4230)
• Correctly handle deleted accounts during page visits (#4275)
• don't fail auth when passed ui_locales (#4288)
• Feat: Add OIDC Prompt Support (#4224)
• Handle multivalue URLs in SCIM (#4271)
• Correctly encode ssh tag values (#4272)
• Add .well-known/passkey-endpoints (#4255)
• show repl cert metadata and also handle socket timeouts (#4252)
• add dependency data to released containers (#4239)
• cli: allow clearing person's legalname attribute (#4228)
• OpenSSL shall be vanquished (#4219)
• add nsswitch config check to unixd (#4210)
• Added PasswordChangedTime attribute and database field (#3999)
• Improve FreeBSD building, fully drop ring as a dependency.
• credential reset emails (authenticated only) (#4151)
• feat: bind mount home strategy (#3997)
• Don't revert admin changes in some groups during migrcation (#4176)
• Alert on unsaved changes (#4155)
• Warn about systemd-userdb (#4147)
• Dont token introspection relies on token validity rather than basic auth (#4142)
• Feature OIDC updated at (#4007)
• Bye bye lazy static (#4134)
• Allow LDAP CA verification to be disabled in sync (#4133)

2026-04-30 - Kanidm 1.9.3 Patch (Security: HIGH)

This update resolves 6 security issues, 2 of which allow unauthenticated remote Denial of Service. We have no evidence that these are in active exploitation or that user privacy or data was compromised.

• Security - High: SCIM Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user (@mbarbero)
• Security - Moderate: PNG Image validation did not correctly handle short images allowing a panic to occur in a worker thread. This may lead to system instability over time (@mbarbero)
• Security - Low: HTML injection via user DisplayName in Passkey enrolment dialogs. This allows an admin to execute JS in the context of a users browser. Since the admin already can reset the users credentials, the impact of this is minimal. (@mbarbero)
• Security - Low: non-constant time comparison of OAuth2 client secret may allow a remote attacker to remotely recovery the bytes of the secret. Due to the length of the secret (48 chars) this is infeasible practically. (@mbarbero)
• Security - Low: incorrect handling of origin validation in Webauthn-RS allowed a malicious domain to collide with a valid one (badexample.com would match with example.com). This is mitigated by browsers detecting the forgery and preventing the authentication from proceeding. (@dorakemon)
• Security - High: LDAP Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user (@firstyear due to @mbarbero's report on SCIM)

Thanks to @mbarbero and @dorakemon for their work in finding and reporting these issues, and the Kanidm team for triage, code review, and their ongoing support.

2026-03-13 - Kanidm 1.9.2 Patch

• Resolve incorrect handling of urlencoded client_ids in OAuth2
• Resolve incorrect parsing of ldap filters in ldap migration tools
• Remove thread local storage in nss_kanidm due to glibc limitations
• Disable multithreading on RADIUS when debug is disabled

2026-02-24 - Kanidm 1.9.1 Patch

• Warn users before leaving credential update page.
• Improve constraints on migrations feature to prevent users manipulating some critical system entries.

2026-02-17 - Kanidm 1.9.0

This is the latest stable release of the Kanidm Identity Management project. Every release is the combined effort of our
community and we appreciate their invaluable contributions, comments, questions, feedback and support.

You should review our support documentation as this may have important effects on your distribution or upgrades in
future.

Before upgrading you should review our upgrade documentation

1.9.0 Important Changes

• An HJSON based entry migration framework has been introduced, allowing configuration management of database entries.
• Upgrade/Downgrade constraints are now stricter to prevent mistakes during administrative tasks.
• Service Accounts can issue OIDC/OAuth2 token using RFC8693 Token Exchange.
• CSS can be set by overriding a default file (override.css).
• Kanidmd now has a JSON scripting CLI, replacing the --output json CLI option.
• Service Account tokens now support a short-format for applications that can not process credentials greater than 128 characters.

1.9.0 Release Highlights

• Python API is now generated from OpenAPI definitions.
• Allow clearing of softlocks that are enforced on accounts.
• Add a scim-batch migration framework to allow entry management.
• Improvements to upgrade/downgrade testing and constraints.
• Add the ability to backup via stdout.
• Remove the mozilla webauthn authenticator backend.
• Add a truncated service account token format.
• Raise the maximum number of default queryable attributes in LDAP to support SSSD.
• Add support for RADIUS certificates to identify a user with the subjectAltName-DN type.
• Add a kanidmd command line scripting interface.
• Harden against errors when libnss_kanidm.so is used by a forking process.
• Allow overrides of CSS via a default file that can be overridden.
• Add an LDAP homeDirectory virtualAttribute for some RFC2307Bis Clients.
• Invalid password formats can be skipped during migration imports.
• Allow service desk to change account validity windows.
• Resolve an issue with ipa/ldap sync not correctly installing TLS providers.
• Prevent a server startup crash when the administrator forced a low log level.
• Support OIDC for service-accounts with RFC8693 Token Exchange.
• Resolve incorrect CSP headers in some OAuth2 situations.
• Improve support for concurrent pam sessions.
• Add a home directory strategy framework.
• Resolve an infinite loop in the command line authentication process.
• Ignore CredentialTypeMinimum during migrations to prevent potential AccountPolicy downgrades.
• Allow disabling the OAuth2 Consent Prompt for some applications.
• Improve debugging of IP address logging configuration.
• Force synchronisation of token privilege limetime to be bound by token life.
• Add the Kanidm Project Anthem. #3987
• Resolve a bug where upgrade version constraints were not correctly enforced.
• Improved environment variable parsing for server configuration.
• Improve upgrade documentation.
• Reduce proto crate dependencies.
• Attribute Uniquness conflicts now yield HTTP::BAD_REQUEST
• Improve diagnostics for invalid OAuth2 Client configurations.
• Home user directory symlinks are now conditionally updated.
• Improve UID/GID overlap messages to help administrators resolve issues during IAM migration.