Release 2026.2.0-rc1

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• admin: system api: fix FIPS status schema by @rissson in #10110
• website/docs: Specify Synology DSM Account type to use by @jannickfahlbusch in #10111
• web: bump API Client version by @authentik-automation[bot] in #10113
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10109
• website/docs: add more info about multiple replicas by @tanberry in #10117
• policies/reputation: fix existing reputation update by @rissson in #10124
• stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs by @authentik-automation[bot] in #10119
• translate: Updates for file web/xliff/en.xlf in zh_CN by @transifex-integration[bot] in #10120
• translate: Updates for file web/xliff/en.xlf in zh-Hans by @transifex-integration[bot] in #10121
• core, web: update translations by @authentik-automation[bot] in #10118
• core: bump goauthentik.io/api/v3 from 3.2024042.11 to 3.2024042.13 by @dependabot[bot] in #10134
• core: bump ruff from 0.4.8 to 0.4.9 by @dependabot[bot] in #10128
• core, web: update translations by @authentik-automation[bot] in #10127
• core: bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot[bot] in #10133
• web: bump chromedriver from 126.0.0 to 126.0.1 in /tests/wdio by @dependabot[bot] in #10136
• core: bump github.com/gorilla/sessions from 1.2.2 to 1.3.0 by @dependabot[bot] in #10135
• web: bump @patternfly/elements from 3.0.1 to 3.0.2 in /web by @dependabot[bot] in #10132
• website: bump react-tooltip from 5.26.4 to 5.27.0 in /website by @dependabot[bot] in #10129
• web: fix early modal stack depletion by @kensternberg-authentik in #10068
• website/integations/services: Slack integration docs by @tanberry in #9933
• core: include version in built JS files by @BeryJu in #9558
• web: fix needed because recent upgrade to task breaks spinner button by @kensternberg-authentik in #10142
• web: bump ws from 8.16.0 to 8.17.1 in /web by @dependabot[bot] in #10149
• web: bump the storybook group in /web with 7 updates by @dependabot[bot] in #10147
• ci: bump docker/build-push-action from 5 to 6 by @dependabot[bot] in #10144
• core: bump urllib3 from 2.2.1 to 2.2.2 by @dependabot[bot] in #10143
• root: use custom model serializer that saves m2m without bulk by @BeryJu in #10139
• root: makefile: add codespell to make website by @rissson in #10116
• web: fix docker build for non-release versions by @rissson in #10154
• website/integrations: gitlab: better service description by @dominic-r in #9923
• website/docs: Describe where to apply the auto setup env vars by @m1212e in #9863
• website/integrations: jellyfin: add OIDC configuration by @Redlonghead in #9538
• web: bump the wdio group in /tests/wdio with 4 updates by @dependabot[bot] in #10160
• web: bump chromedriver from 126.0.1 to 126.0.2 in /tests/wdio by @dependabot[bot] in #10161
• core: bump twilio from 9.1.1 to 9.2.0 by @dependabot[bot] in #10162
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10167
• website/docs: 2024.6 release notes: add note about group names by @rissson in #10170
• core: fix error when raising SkipObject in mapping by @BeryJu in #10153
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10174
• website/docs: update template reference by @emmanuel-ferdman in #10166
• web: bump @sentry/browser from 8.9.2 to 8.10.0 in /web in the sentry group by @dependabot[bot] in #10185
• core: bump google-api-python-client from 2.133.0 to 2.134.0 by @dependabot[bot] in #10183
• web: bump glob from 10.4.1 to 10.4.2 in /web by @dependabot[bot] in #10163
• core: rework base for SkipObject exception to better support control flow exceptions by @BeryJu in #10186
• website/docs: Remove hyphen in read replica in Release Notes by @tanberry in #10178
• website/docs: Fix nginx proxy_pass directive documentation by @fotinakis in #10181
• core: bump selenium from 4.21.0 to 4.22.0 by @dependabot[bot] in #10194
• core: bump ruff from 0.4.9 to 0.4.10 by @dependabot[bot] in #10193
• web: bump typescript from 5.4.5 to 5.5.2 in /tests/wdio by @dependabot[bot] in #10192
• web: bump typescript from 5.4.5 to 5.5.2 in /web by @dependabot[bot] in #10191
• website: bump typescript from 5.4.5 to 5.5.2 in /website by @dependabot[bot] in #10190
• web: bump @sentry/browser from 8.10.0 to 8.11.0 in /web in the sentry group by @dependabot[bot] in #10204
• web: bump chromedriver from 126.0.2 to 126.0.3 in /tests/wdio by @dependabot[bot] in #10203
• core: bump twilio from 9.2.0 to 9.2.1 by @dependabot[bot] in #10202
• core: bump coverage from 7.5.3 to 7.5.4 by @dependabot[bot] in #10201
• web/flows: update flow background by @BeryJu in #10206
• website/docs: fix #9552 openssl rand base64 line wrap by @jogerj in #10211
• website/integrations: fix typo in documentation for OIDC setup with Paperless-ngx by @rwh85 in #10218
• security: fix CVE-2024-38371 by @BeryJu in #10229
• security: fix CVE-2024-37905 by @BeryJu in #10230
• core: bump debugpy from 1.8.1 to 1.8.2 by @dependabot[bot] in #10225
• web: bump @sentry/browser from 8.11.0 to 8.12.0 in /web in the sentry group by @dependabot[bot] in #10226
• core: bump webauthn from 2.1.0 to 2.2.0 by @dependabot[bot] in #10224
• web: bump chromedriver from 126.0.3 to 126.0.4 in /tests/wdio by @dependabot[bot] in #10223
• core: bump pdoc from 14.5.0 to 14.5.1 by @dependabot[bot] in #10221
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10228
• website/docs: update 2024.2 release notes with security fixes by @rissson in #10232
• website/docs: update 2024.4 release notes with latest changes by @rissson in #10231
• website/docs: update 2024.6 release notes with latest changes (cherry-pick #10228) by @gcp-cherry-pick-bot[bot] in #10243
• website/docs: remove RC disclaimer from 2024.6 release notes by @rissson in #10245
• website/docs: remove RC disclaimer from 2024.6 release notes (cherry-pick #10245) by @gcp-cherry-pick-bot[bot] in #10246
• security: update supported versions by @rissson in #10247
• security: update supported versions (cherry-pick #10247) by @gcp-cherry-pick-bot[bot] in #10248
• website/docs: update geoip and asn example to use the proper syntax by @rissson in #10249
• website/docs: update the Welcome page by @tanberry in #10222
• website/docs: update geoip and asn example to use the proper syntax (cherry-pick #10249) by @gcp-cherry-pick-bot[bot] in #10250
• web: bump API Client versio...

Release 2025.12.3

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025123

What's Changed

• 2025.12: Revert bulk revoke added by accident in release branch by @dominic-r in #19870
• web/admin: fix toggle-group for bindings now showing up (cherry-pick #19820 to version-2025.12) by @authentik-automation[bot] in #19895
• website/docs: Remove stale 2024 version directives (cherry-pick #19888 to version-2025.12) by @authentik-automation[bot] in #19899
• web: fix Brand CSS not applied to nested Shadow DOM components (cherry-pick #19892 to version-2025.12) by @authentik-automation[bot] in #19900
• ci: always generate API clients (#19906) by @BeryJu in #19932
• lifecycle/ak: make sure /data has the correct permissions (cherry-pick #19935 to version-2025.12) by @authentik-automation[bot] in #19940
• lifecycle/aws: add /data volume (cherry-pick #19936 to version-2025.12) by @authentik-automation[bot] in #19938
• website/docs: Update location of media storage and outdated references (cherry-pick #19885 to version-2025.12) by @authentik-automation[bot] in #19937
• core: fix non-expiring service accounts and app passwords (cherry-pick #19913 to version-2025.12) by @authentik-automation[bot] in #19941

Full Changelog: version/2025.12.2...version/2025.12.3

Release 2025.12.2

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025122

What's Changed

• website/docs: release notes: Update release notes for version 2025.12.1 (cherry-pick #19502 to version-2025.12) by @authentik-automation[bot] in #19503
• sources/kerberos: update to new python-kadmin-rs (cherry-pick #19491 to version-2025.12) by @authentik-automation[bot] in #19523
• tests/e2e: Add delay and serialized rollback to saml e2e test (cherry-pick #18840 to version-2025.12) by @authentik-automation[bot] in #19532
• website/docs: endpoint devices: update device code flow instructions (cherry-pick #19528 to version-2025.12) by @authentik-automation[bot] in #19534
• admin/files: fix manageable check blocking file creation on fresh installs (cherry-pick #19547 to version-2025.12) by @authentik-automation[bot] in #19553
• admin/files: fix duplicate bucket name in presigned URLs with custom domain (cherry-pick #19537 to version-2025.12) by @authentik-automation[bot] in #19575
• core: Update supported versions in SECURITY.md (cherry-pick #19385 to version-2025.12) by @authentik-automation[bot] in #19578
• website/docs: add s3 perms (cherry-pick #19579 to version-2025.12) by @authentik-automation[bot] in #19581
• web: update @goauthentik/api (cherry-pick #19542 to version-2025.12) by @authentik-automation[bot] in #19589
• web/forms: fix invalid date error for empty datetime-local inputs (cherry-pick #19561 to version-2025.12) by @authentik-automation[bot] in #19582
• endpoints: fix endpoints stage marked as enterprise (cherry-pick #19607 to version-2025.12) by @authentik-automation[bot] in #19610
• policies: fix Providers authentication_flow not used when set (cherry-pick #19609 to version-2025.12) by @authentik-automation[bot] in #19615
• providers/saml: fix structure of encrypted saml assertion (cherry-pick #19592 to version-2025.12) by @authentik-automation[bot] in #19613
• providers/saml: allow encryption certificates without private keys (cherry-pick #19526 to version-2025.12) by @authentik-automation[bot] in #19612
• sources/saml: Fix signature verification order to accommodate encrypted assertions (cherry-pick #19593 to version-2025.12) by @authentik-automation[bot] in #19614
• tests: improve e2e/integration test reliability (cherry-pick #19540 to version-2025.12) by @authentik-automation[bot] in #19611
• lib/sync/outgoing: handle deletions even if object does not exist in database (cherry-pick #18968 to version-2025.12) by @authentik-automation[bot] in #19617
• website/docs: endpoints devices: typo fix (cherry-pick #19621 to version-2025.12) by @authentik-automation[bot] in #19622
• web/user: fix Firefox for Android infinite render loop in user library (cherry-pick #19379 to version-2025.12) by @authentik-automation[bot] in #19626
• web/maintenance: fix missing custom web component imports (cherry-pick #18942 to version-2025.12) by @authentik-automation[bot] in #19636
• website/docs: Update saml google workspace guide (cherry-pick #19624 to version-2025.12) by @authentik-automation[bot] in #19642
• website/docs: update endpoint agent windows log location (cherry-pick #19645 to version-2025.12) by @authentik-automation[bot] in #19646
• web/a11y: Locale selector select styles, contrast. (cherry-pick #19634 to version-2025.12) by @authentik-automation[bot] in #19651
• website/docs: update LDAP search permission instructions (cherry-pick #19676 to version-2025.12) by @authentik-automation[bot] in #19678
• web/maintenance: no unknown tag names (cherry-pick #18944 to version-2025.12) by @authentik-automation[bot] in #19637
• providers/oauth2: add logout+jwt token type for oidc logout token. (cherry-pick #19554 to version-2025.12) by @authentik-automation[bot] in #19675
• web/maintenance: no missing element type definitions (cherry-pick #18950 to version-2025.12) by @authentik-automation[bot] in #19638
• web/maintenance/no unknown attributes (part 1) (cherry-pick #18970 to version-2025.12) by @authentik-automation[bot] in #19639
• sources/saml: Set AuthnRequest ProtocolBinding to HTTP-POST instead of HTTP-Redirect (cherry-pick #17378 to version-2025.12) by @authentik-automation[bot] in #19649
• web/forms: fix forms not resetting state when modal closes (cherry-pick #19562 to version-2025.12) by @authentik-automation[bot] in #19635
• web/admin: fix brand form sending "undefined" string for blank default application (cherry-pick #19658 to version-2025.12) by @authentik-automation[bot] in #19682
• internal: fix incorrect metric calculation (cherry-pick #19701 to version-2025.12) by @authentik-automation[bot] in #19703
• sources/oauth: add fallback for id_token when profile URL is not available (cherry-pick #19311 to version-2025.12) by @authentik-automation[bot] in #19704
• core: return bad request when user is authenticated and not active (cherry-pick #19706 to version-2025.12) by @authentik-automation[bot] in #19710
• web/admin: fix impersonation form requesting data without being opened (cherry-pick #19673 to version-2025.12) by @authentik-automation[bot] in #19712
• web/sfe: downgrade bootstrap, add access denied test (cherry-pick #19763 to version-2025.12) by @authentik-automation[bot] in #19765
• root: update client-go generation (cherry-pick #19762 to version-2025.12) by @authentik-automation[bot] in #19791
• web/elements: reduce spacing between collapsible form groups (cherry-pick #19627 to version-2025.12) by @authentik-automation[bot] in #19640
• web/elements: stabilize dual-select status height (cherry-pick #19734 to version-2025.12) by @authentik-automation[bot] in #19776
• website/docs: fix Transifex link in translation guide (cherry-pick #19735 to version-2025.12) by @authentik-automation[bot] in #19771
• website/docs: endpoint devices: fix local device login (cherry-pick #19698 to version-2025.12) by @authentik-automation[bot] in #19790
• website/docs: Fix authenticator sms docs (cherry-pick #19797 to version-2025.12) by @authentik-automation[bot] in #19816
• providers/scim: fix email validation mismatch (cherry-pick #19848 to version-2025.12) by @authentik-automation[bot] in #19853
• sources/saml: properly catch InvalidSignature exception (cherry-pick #19641 to version-2025.12) by @authentik-automation[bot] in #19650
• sources/oauth: Fix an issue where wechat may crash duing login. (cherry-pick #18973 to version-2025.12) by @authentik-automation[bot] in #19854
• website/docs: add more info to entra id scim doc (cherry-pick #19849 to version-2025.12) by @authentik-automation[bot] in #19855
• website/docs: add tip for recovering from accidental main branch work (cherry-pick #19865 to version-2025.12) by @authentik-automation[bot] in #19866
• admin/files: add centralized theme variable support for file URLs (cherry-pick #19657 to version-2025.12) by @authentik-automation[bot] in #19793
• web/table: align row action icons and tooltip color (cherry-pick #19736 to version-2025.12) by @authentik-automation[bot] in #19773
• web/admin: fix file upload not preserving extension for custom names with dots (cherry-pick #19548 to version-2025.12) by @authentik-automation[bot] in #19685
• web/admin: fix captcha stage provider selector not showing saved value (cherry-pick #19555 to version-2025.12) by @authentik-automation[bot] in #19656
• web: Session UI Config Lifecycle (cherry-pick #19788 to version-2025.12) by @authentik-automation[bot] in #19821
• website/docs: endpoint devices: add version command (cherry-pick #19767 to version-2025.12) by @authentik-automation[bot] in #19877
• web: Enforce challenge nullish ty...

Release 2025.12.1

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025121

What's Changed

• website/docs: remove "beta" tag from 2025.12 (cherry-pick #19404 to version-2025.12) by @authentik-automation[bot] in #19407
• outposts/ldap: fix build by @BeryJu in #19403
• website/docs: add import to discord policy (cherry-pick #19397 to version-2025.12) by @authentik-automation[bot] in #19406
• website/docs: mention dynamic overrides in redirect stage documentation (cherry-pick #19368 to version-2025.12) by @authentik-automation[bot] in #19402
• website/docs: update gws provider docs (cherry-pick #18286 to version-2025.12) by @authentik-automation[bot] in #19400
• web/startup: deprecated theme names break theming (cherry-pick #19431 to version-2025.12) by @authentik-automation[bot] in #19433
• ci: fix checkout stable (for 2025.12) (#19448) by @BeryJu in #19481
• providers/oauth2: allow property mappings to override scope claim in access tokens (cherry-pick #19226 to version-2025.12) by @authentik-automation[bot] in #19480
• core: bump aiohttp from 3.13.2 to v3.13.3 (cherry-pick #19257 to version-2025.12) by @authentik-automation[bot] in #19484
• endpoints/connectors/agent: Skip Endpoint stage on device IA & fix confusing identification subtext (cherry-pick #19482 to version-2025.12) by @authentik-automation[bot] in #19486
• website/docs: limiting permissions of AD service account (cherry-pick #19483 to version-2025.12) by @authentik-automation[bot] in #19489
• endpoints/connectors/agent: add tests for IA endpoint stage (cherry-pick #19487 to version-2025.12) by @authentik-automation[bot] in #19490
• web: Z-Index Fixes, Mobile Sidebar Behavior. (cherry-pick #19460 to version-2025.12) by @authentik-automation[bot] in #19492
• web/admin: fix switches (cherry-pick #19493 to version-2025.12) by @authentik-automation[bot] in #19496

Full Changelog: version/2025.12.0...version/2025.12.1

Release 2025.12.0

See https://docs.goauthentik.io/docs/releases/2025.12

What's Changed

• endpoints: include license status in agent config (cherry-pick #19227 to version-2025.12) by @authentik-automation[bot] in #19228
• website/docs: revisit endpoint docs the nth (cherry-pick #19116 to version-2025.12) by @authentik-automation[bot] in #19223
• website/glossary: improve (cherry-pick #18969 to version-2025.12) by @authentik-automation[bot] in #19238
• core: fix read replica routing during transactions (cherry-pick #19086 to version-2025.12) by @authentik-automation[bot] in #19241
• stages/authenticator_static: set max token length to 100 chars (cherry-pick #19162 to version-2025.12) by @authentik-automation[bot] in #19231
• website: Fix typos. (cherry-pick #19243 to version-2025.12) by @authentik-automation[bot] in #19248
• stages/prompt: optimize API endpoints (cherry-pick #19251 to version-2025.12) by @authentik-automation[bot] in #19254
• stages/password: replace session-based retries with reputation (cherry-pick #18643 to version-2025.12) by @authentik-automation[bot] in #19289
• web/admin: add banner to flow import form (cherry-pick #19288 to version-2025.12) by @authentik-automation[bot] in #19293
• core: bump urllib3 from 2.5.0 to v2.6.3 (cherry-pick #19287 to version-2025.12) by @authentik-automation[bot] in #19296
• core: bump django from v5.2.9 to 5.2.10 (cherry-pick #19290 to version-2025.12) by @authentik-automation[bot] in #19294
• website/docs: update entra id provider docs (cherry-pick #18366 to version-2025.12) by @authentik-automation[bot] in #19256
• website/docs: deprecate GCDT auth stage (cherry-pick #19306 to version-2025.12) by @authentik-automation[bot] in #19319
• website/docs: update m2m doc (cherry-pick #18963 to version-2025.12) by @authentik-automation[bot] in #19324
• website/docs: Fix documentation example for app_entitlements_attributes. (cherry-pick #19316 to version-2025.12) by @authentik-automation[bot] in #19326
• website/docs: add flow import warnings (cherry-pick #19307 to version-2025.12) by @authentik-automation[bot] in #19327
• website/docs: Fix typo in GitHub OAuth Source instructions (cherry-pick #18936 to version-2025.12) by @authentik-automation[bot] in #19322
• web: Fix flow inspector advancement event. (cherry-pick #19309 to version-2025.12) by @authentik-automation[bot] in #19310
• website/docs: update github social login script example (cherry-pick #19246 to version-2025.12) by @authentik-automation[bot] in #19250
• website/docs: update unique email policy (cherry-pick #19305 to version-2025.12) by @authentik-automation[bot] in #19339
• web: Images styles, theming (cherry-pick #19233 to version-2025.12) by @authentik-automation[bot] in #19342
• website/docs: update LDAP provider docs (cherry-pick #18272 to version-2025.12) by @authentik-automation[bot] in #19345
• packages/django-dramatiq-postgres: broker: empty message after task completed successfully (cherry-pick #19340 to version-2025.12) by @authentik-automation[bot] in #19356
• web/admin: always retrieve selected provider when editing the application (cherry-pick #19341 to version-2025.12) by @authentik-automation[bot] in #19370
• web/elements: hidden secrets not propagating (cherry-pick #19029 to version-2025.12) by @authentik-automation[bot] in #19377
• outpost/proxyv2: fix stale session cookie causing 400 error in createState (cherry-pick #19026 to version-2025.12) by @authentik-automation[bot] in #19375
• website/docs: update location for logs on windows (cherry-pick #19371 to version-2025.12) by @authentik-automation[bot] in #19373
• internal/outpost: improve PostgreSQL connection options parsing (cherry-pick #19118 to version-2025.12) by @authentik-automation[bot] in #19372
• web: Flow info, localization, back button. (cherry-pick #19234 to version-2025.12) by @authentik-automation[bot] in #19346
• stages/authenticator_validate: decrease reputation on failed MFA attempt (cherry-pick #19378 to version-2025.12) by @authentik-automation[bot] in #19381
• internal: rework liveness probe and proxy (cherry-pick #19312 to version-2025.12) by @authentik-automation[bot] in #19382
• web: UI Locale Fixes (cherry-pick #19235 to version-2025.12) by @authentik-automation[bot] in #19384

Full Changelog: version/2025.12.0-rc3...version/2025.12.0

Release 2025.12.0-rc3

See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• tests/e2e: handle StaleElementReferenceException in parse_json_content (cherry-pick #18842 to version-2025.12) by @authentik-automation[bot] in #18919
• packages/ak-guardian: cast safely (cherry-pick #18929 to version-2025.12) by @authentik-automation[bot] in #18931
• web/flow: Fix spurious double submit on ak-stage-autosubmit (cherry-pick #18727 to version-2025.12) by @authentik-automation[bot] in #18933
• stages/identification: replace sleep with make_password (cherry-pick #18883 to version-2025.12) by @authentik-automation[bot] in #18943
• website/docs: endpoint devices (cherry-pick #18634 to version-2025.12) by @authentik-automation[bot] in #18946
• website/docs: release notes: add endpoint device links to 2025.12 notes (cherry-pick #18940 to version-2025.12) by @authentik-automation[bot] in #18947
• web/elements: progress-bar and table loading header (cherry-pick #18934 to version-2025.12) by @authentik-automation[bot] in #18939
• website/docs: add note to active directory source doc (cherry-pick #18787 to version-2025.12) by @authentik-automation[bot] in #18966
• web/admin: add UI copy to RBAC modal (cherry-pick #18917 to version-2025.12) by @authentik-automation[bot] in #18962
• website/docs: Backport version picker updates. by @GirlBossRush in #18964
• web/admin: fix endpoints user binding (cherry-pick #18935 to version-2025.12) by @authentik-automation[bot] in #18952
• web/admin: fix dark theme on map (cherry-pick #18985 to version-2025.12) by @authentik-automation[bot] in #18987
• web/admin: Fix haveibeenpwned link in PasswordPolicyForm (cherry-pick #18984 to version-2025.12) by @authentik-automation[bot] in #18989
• enterprise/reports: improve export list, confirmation (cherry-pick #18981 to version-2025.12) by @authentik-automation[bot] in #19010
• website/docs: improve endpoint devices docs (cherry-pick #19007 to version-2025.12) by @authentik-automation[bot] in #19012
• enterprise/search: add static autocomplete structure (cherry-pick #19008 to version-2025.12) by @authentik-automation[bot] in #19011
• web: fix Open button selecting row instead of navigating (cherry-pick #18992 to version-2025.12) by @authentik-automation[bot] in #19003
• web/admin: prevent file upload attempt when backend not managed (cherry-pick #18646 to version-2025.12) by @authentik-automation[bot] in #19021
• website/docs: Prioritize "Release Candidate" over "Current Release" (cherry-pick #18975 to version-2025.12) by @authentik-automation[bot] in #19022
• ci: ensure disk space is available by @BeryJu in #19025
• web: Locale selector UI fixes (cherry-pick #18972 to version-2025.12) by @authentik-automation[bot] in #19027
• core: use chunked_queryset for expired message deletion (cherry-pick #19028 to version-2025.12) by @authentik-automation[bot] in #19031
• events: notifications live update (cherry-pick #18980 to version-2025.12) by @authentik-automation[bot] in #18990
• lib/sync: fix sync_dispatch (cherry-pick #19053 to version-2025.12) by @authentik-automation[bot] in #19056
• endpoints/devices: cleanup (cherry-pick #19047 to version-2025.12) by @authentik-automation[bot] in #19057
• blueprints: fix flaky tests (cherry-pick #19002 to version-2025.12) by @authentik-automation[bot] in #19059
• blueprints: fix deadlock and task context error in MetaApplyBlueprint (cherry-pick #19033 to version-2025.12) by @authentik-automation[bot] in #19068
• blueprints: set enrollment token key (cherry-pick #19061 to version-2025.12) by @authentik-automation[bot] in #19062
• internal: update TLS Suite (cherry-pick #19076 to version-2025.12) by @authentik-automation[bot] in #19078
• web/admin: fix button alignment on user view page (cherry-pick #19079 to version-2025.12) by @authentik-automation[bot] in #19081
• docs/release notes: update 2025.12 release notes (cherry-pick #19043 to version-2025.12) by @authentik-automation[bot] in #19046
• website/docs: rel notes .12: add wallos (cherry-pick #19063 to version-2025.12) by @authentik-automation[bot] in #19096
• website/docs: endpoint devices: update features table (cherry-pick #19094 to version-2025.12) by @authentik-automation[bot] in #19098
• web/admin: use consistent icon for inactive user status (cherry-pick #19032 to version-2025.12) by @authentik-automation[bot] in #19035
• website/docs: endpoint devices: add path to macos setup (cherry-pick #19093 to version-2025.12) by @authentik-automation[bot] in #19099
• website/docs: endpoints: mention connector key required for stage to work (cherry-pick #19084 to version-2025.12) by @authentik-automation[bot] in #19095
• website/docs: release notes: Add more integrations (cherry-pick #19109 to version-2025.12) by @authentik-automation[bot] in #19115
• web: Fix Impersonation, Lit Reactive Controller Contexts (cherry-pick #19114 to version-2025.12) by @authentik-automation[bot] in #19117
• web: Fix stale flow background (cherry-pick #19015 to version-2025.12) by @authentik-automation[bot] in #19101
• web: fix file search input not resetting results properly (cherry-pick #19034 to version-2025.12) by @authentik-automation[bot] in #19075
• web: Capitalize language display names, code owner fix (cherry-pick #19119 to version-2025.12) by @authentik-automation[bot] in #19122
• website/docs: fix build (cherry-pick #19148 to version-2025.12) by @authentik-automation[bot] in #19151
• web/user: fix consent delete form missing details (cherry-pick #19147 to version-2025.12) by @authentik-automation[bot] in #19156
• web: Token Form Fixes (cherry-pick #19121 to version-2025.12) by @authentik-automation[bot] in #19153
• website/docs: endpoint agent release notes (cherry-pick #19042 to version-2025.12) by @authentik-automation[bot] in #19146
• web: fix slug auto-updating when editing existing applications (cherry-pick #19169 to version-2025.12) by @authentik-automation[bot] in #19173
• website/docs: remove duplicates in slo docs (cherry-pick #19170 to version-2025.12) by @authentik-automation[bot] in #19177
• lifecycle: fix migration conn_options for psycopg connection (cherry-pick #19134 to version-2025.12) by @authentik-automation[bot] in #19186
• core: add prettier failure on duplicate group names (cherry-pick #18941 to version-2025.12) by @authentik-automation[bot] in #19193
• web: Merge branch -- Stale notifications, synchronized context objects, rendering fixes (cherry-pick #19141 to version-2025.12) by @authentik-automation[bot] in #19197
• web: Defer table refresh, visibility checks. (cherry-pick #19194 to version-2025.12) by @authentik-automation[bot] in #19198
• rbac: Add show all to roles tab, add role tab to groups (cherry-pick #19097 to version-2025.12) by @authentik-automation[bot] in #19199
• web/admin: adjust sync threshold, add tooltip (cherry-pick #19131 to version-2025.12) by @authentik-automation[bot] in #19175
• admin/files: support %(theme)s variable in media file paths (cherry-pick #19108 to version-2025.12) by @authentik-automation[bot] in #19213
• core: handle deserialization errors from FileField migration (cherry-pick #19067 to version-2025.12) by @authentik-automation[bot] in #19168
• web: fix promoted source button hover losing blue color (cherry-pick #19048 to version-2025.12) by @authentik-automation[bot] in #19100
• outpost/proxyv2: reduce max number of postgres connections (cherry-pick #19211 to version-2025.12) by @...

Release 2025.12.0-rc2

See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• rbac: alter migrated direct permission roles (cherry-pick #18860 to version-2025.12) by @authentik-automation[bot] in #18864
• web/admin/rbac: misc object permission fixes (cherry-pick #18859 to version-2025.12) by @authentik-automation[bot] in #18865
• outposts: fix permission errors for related certificates (cherry-pick #18861 to version-2025.12) by @authentik-automation[bot] in #18866
• website/docs: adjust RBAC-related details in 2025.12 release notes (cherry-pick #18863 to version-2025.12) by @authentik-automation[bot] in #18869
• website/docs: 2025.10.3 release notes (cherry-pick #18868 to version-2025.12) by @authentik-automation[bot] in #18873
• web: add custom message with links for empty data export list (cherry-pick #18830 to version-2025.12) by @authentik-automation[bot] in #18876
• web/admin: fix read-only provider selection for application form (cherry-pick #18768 to version-2025.12) by @authentik-automation[bot] in #18803
• website/docs: Add docs for passkey autofill (WebauthN Conditional UI) (cherry-pick #18805 to version-2025.12) by @authentik-automation[bot] in #18870
• web: fix notification counter (cherry-pick #18781 to version-2025.12) by @authentik-automation[bot] in #18882
• web/admin: endpoint: change wording and add helper text (cherry-pick #18871 to version-2025.12) by @authentik-automation[bot] in #18890
• website/docs: add icon info to style guide (cherry-pick #18832 to version-2025.12) by @authentik-automation[bot] in #18837
• web: fix file upload form (cherry-pick #18808 to version-2025.12) by @authentik-automation[bot] in #18884
• tasks/middleware: close connections on worker status update database error (cherry-pick #18881 to version-2025.12) by @authentik-automation[bot] in #18905
• stages/authenticator_*: fix code input field not string (cherry-pick #18875 to version-2025.12) by @authentik-automation[bot] in #18906
• api: fix page_size with invalid query param (cherry-pick #18879 to version-2025.12) by @authentik-automation[bot] in #18908
• website/docs: added list of Int Guide contributors (also edited frontmatter) (cherry-pick #18888 to version-2025.12) by @authentik-automation[bot] in #18907
• api: fix latest version for public schema (cherry-pick #18902 to version-2025.12) by @authentik-automation[bot] in #18909
• ci/release-tag: checkout correct branch for make test-docker (cherry-pick #18880 to version-2025.12) by @authentik-automation[bot] in #18911
• website/docs: 2025.12: remove superfluous changes (cherry-pick #18910 to version-2025.12) by @authentik-automation[bot] in #18912
• web/admin: reword some things on the device view page (cherry-pick #18785 to version-2025.12) by @authentik-automation[bot] in #18913
• core/groups: optimize prefetch queries to fetch only required fields (cherry-pick #18448 to version-2025.12) by @authentik-automation[bot] in #18914
• root: fix docker-compose data mount (cherry-pick #18903 to version-2025.12) by @authentik-automation[bot] in #18918

Full Changelog: version/2025.12.0-rc1...version/2025.12.0-rc2

Release 2025.10.3

See https://docs.goauthentik.io/docs/releases/2025.10#fixed-in-2025103

What's Changed

• website/docs: fix broken link in source switching doc (cherry-pick #18317 to version-2025.10) by @authentik-automation[bot] in #18319
• website/docs: further improvments to source switch doc (cherry-pick #18320 to version-2025.10) by @authentik-automation[bot] in #18323
• website/docs: enhance blueprint docs (cherry-pick #15984 to version-2025.10) by @authentik-automation[bot] in #18322
• website/docs: added missed edits on Blueprints docs (cherry-pick #18321 to version-2025.10) by @authentik-automation[bot] in #18324
• website/docs: add high availability doc (cherry-pick #18182 to version-2025.10) by @authentik-automation[bot] in #18325
• website/docs: update info about docker socket mount (cherry-pick #18344 to version-2025.10) by @authentik-automation[bot] in #18365
• outposts: set container healthcheck inline (cherry-pick #18298 to version-2025.10) by @authentik-automation[bot] in #18370
• web/admin: add entitlement search (cherry-pick #18291 to version-2025.10) by @authentik-automation[bot] in #18390
• lib/sync/outgoing: check if there is a provider before creating tasks (cherry-pick #18394 to version-2025.10) by @authentik-automation[bot] in #18397
• web/admin: fix wording in password stage (cherry-pick #18393 to version-2025.10) by @authentik-automation[bot] in #18395
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) by @authentik-automation[bot] in #18373
• web: revert Fix stale table rows (cherry-pick #17940 to version-2025.10) by @rissson in #18407
• stages/prompt: set allow_blank for _read_only fields (cherry-pick #18297 to version-2025.10) by @authentik-automation[bot] in #18406
• packages/django-channels-postgres: fix notify size check (cherry-pick #18347 to version-2025.10) by @authentik-automation[bot] in #18409
• website/docs: improve creds recovery docs (cherry-pick #18385 to version-2025.10) by @authentik-automation[bot] in #18411
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) by @authentik-automation[bot] in #18408
• web/admin: fixes capitalization in application wizard title (cherry-pick #17959 to version-2025.10) by @authentik-automation[bot] in #17962
• website/docs: update certificate doc (cherry-pick #18295 to version-2025.10) by @authentik-automation[bot] in #18326
• providers/scim: compare users/groups before sending update request (cherry-pick #18456 to version-2025.10) by @authentik-automation[bot] in #18465
• web/admin: fix brands default switch label (cherry-pick #18518 to version-2025.10) by @authentik-automation[bot] in #18522
• website/docs: expressions: fix markdown (cherry-pick #18613 to version-2025.10) by @authentik-automation[bot] in #18617
• website/docs: adds note about ak_create_jwt function (cherry-pick #18614 to version-2025.10) by @authentik-automation[bot] in #18626
• flows: refresh unauthenticated tabs (cherry-pick #18621 to version-2025.10) by @authentik-automation[bot] in #18633
• root: fix missing authentik_device cookie causing error (cherry-pick #18642 to version-2025.10) by @authentik-automation[bot] in #18644
• enterprise/stages/mtls: fix traefik certificate parsing (cherry-pick #18607 to version-2025.10) by @authentik-automation[bot] in #18645
• web: Fix row expansion on modal trigger buttons. (cherry-pick #18412 to version-2025.10) by @authentik-automation[bot] in #18647
• web/admin: fix event volume chart not updating with query (cherry-pick #18649 to version-2025.10) by @authentik-automation[bot] in #18653
• sources/ldap: make server info optional (cherry-pick #18648 to version-2025.10) by @authentik-automation[bot] in #18654
• website/docs: install-config: fix dump_config command (cherry-pick #18659 to version-2025.10) by @authentik-automation[bot] in #18671
• root: skip current tab when refreshing others (cherry-pick #18674 to version-2025.10) by @authentik-automation[bot] in #18675
• web: Hide device picker when challenges are not present. (cherry-pick #18611 to version-2025.10) by @authentik-automation[bot] in #18681
• web: Improved table selection behavior (cherry-pick #18622 to version-2025.10) by @authentik-automation[bot] in #18685
• website/docs: background tasks: add more detail about "next run" (cherry-pick #18660 to version-2025.10) by @authentik-automation[bot] in #18672
• outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart (cherry-pick #18211 to version-2025.10) by @authentik-automation[bot] in #18742
• core: optimize list applications (cherry-pick #18330 to version-2025.10) by @authentik-automation[bot] in #18791
• core: list applications fix (cherry-pick #18798 to version-2025.10) by @authentik-automation[bot] in #18827
• packages/django-dramatiq-postgres: broker: close django connections on consumer close (cherry-pick #18833 to version-2025.10) by @authentik-automation[bot] in #18835
• website/docs: add icon info to style guide (cherry-pick #18832 to version-2025.10) by @authentik-automation[bot] in #18834
• website/docs: 2025.10.3 release notes (cherry-pick #18868 to version-2025.10) by @authentik-automation[bot] in #18872

Full Changelog: version/2025.10.2...version/2025.10.3

Release 2025.12.0-rc1

See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• root: bump version to 2025.12.0-rc1 by @authentik-automation[bot] in #17603
• website/integrations: Zoom: Fix punctuation in description by @dominic-r in #17608
• website: fix active menu link background overlap by @dominic-r in #17607
• ci: use forked release action to deal with large release notes by @BeryJu in #17625
• translate: Updates for file locale/en/LC_MESSAGES/django.po in pt_BR by @transifex-integration[bot] in #17622
• core, web: update translations by @authentik-automation[bot] in #17605
• website/docs: add short-lived certificate recommendation by @dewi-tik in #17628
• website/integrations: random fixes by @dewi-tik in #17631
• web: sync web/package-lock.json by @melizeche in #17611
• ci: link to next. for pre-release docs by @BeryJu in #17634
• enterprise: add prometheus metrics for license usage and expiry by @BeryJu in #17606
• core: bump djangorestframework from 3.16.0 (our fork) to v3.16.1 (official package) by @melizeche in #16594
• website/integrations: add zendesk by @PeshekDotDev in #17541
• website/integrations: add terraform cloud by @dominic-r in #17610
• core: bump github.com/getsentry/sentry-go from 0.36.0 to 0.36.1 by @dependabot[bot] in #17646
• web: bump style-mod from 4.1.2 to 4.1.3 in /web by @dependabot[bot] in #17647
• core: bump astral-sh/uv from 0.9.4 to 0.9.5 by @dependabot[bot] in #17645
• providers/proxy: drop headers with underscores by @BeryJu in #17650
• website/docs: rel notes 2025.10: add 3 more integration guides by @tanberry in #17641
• core, web: update translations by @authentik-automation[bot] in #17643
• translate: Updates for file web/xliff/en.xlf in pt_BR by @transifex-integration[bot] in #17639
• web: bump knip from 5.66.1 to 5.66.2 in /web by @dependabot[bot] in #17619
• web: bump @types/node from 22.15.19 to 24.9.1 in /web by @dependabot[bot] in #17618
• web: bump @types/node from 24.9.0 to 24.9.1 in /packages/prettier-config by @dependabot[bot] in #17617
• lib/sync/outgoing: store sync settings in database by @rissson in #17630
• web: bump vite from 7.1.10 to 7.1.11 in /web by @dependabot[bot] in #17604
• website: bump @types/node from 24.9.0 to 24.9.1 in /website by @dependabot[bot] in #17612
• core: bump goauthentik.io/api/v3 from 3.2025100.25 to 3.2025120.1 by @dependabot[bot] in #17613
• web: bump @types/node from 24.9.0 to 24.9.1 in /packages/esbuild-plugin-live-reload by @dependabot[bot] in #17616
• web: bump hono from 4.9.12 to 4.10.2 in /web by @dependabot[bot] in #17653
• website: bump the eslint group in /website with 3 updates by @dependabot[bot] in #17601
• lifecycle/aws: bump aws-cdk from 2.1030.0 to 2.1031.0 in /lifecycle/aws by @dependabot[bot] in #17667
• web: bump chromedriver from 141.0.3 to 141.0.4 in /web by @dependabot[bot] in #17665
• web: bump the sentry group across 1 directory with 2 updates by @dependabot[bot] in #17663
• core: bump goauthentik.io/api/v3 from 3.2025120.1 to 3.2025120.2 by @dependabot[bot] in #17662
• web: Table row refinements by @GirlBossRush in #17659
• web: Abstract Wizard Lifecycle by @GirlBossRush in #17658
• website/docs: add note about invite link not bound by @tanberry in #17657
• web: Make action field search case insensitive in Event Matcher Policy Form by @melizeche in #17680
• web: bump @goauthentik/prettier-config from 1.0.5 to 3.1.0 in /web in the goauthentik group across 1 directory by @dependabot[bot] in #17684
• translate: add cs_CZ by @rissson in #17632
• root: Fix transifex link by @Gunsmithy in #17696
• web: Fix table row click handler. by @GirlBossRush in #17697
• website/docs: eap add info about custom validation by @tanberry in #17642
• website/integrations: sonarr: clarify reverse proxy setup by @AlexLArmstrong in #17485
• website/integrations: zot oci registry integration by @shcherbak in #17682
• website/docs: release notes: Add Zot integration by @dominic-r in #17700
• website/docs: blueprints: add a bit more info by @dominic-r in #17704
• web: bump hono from 4.10.2 to 4.10.3 in /web by @dependabot[bot] in #17698
• web: bump @types/node from 22.15.19 to 24.9.1 in /web by @dependabot[bot] in #17687
• web: bump @types/codemirror from 5.60.16 to 5.60.17 in /web by @dependabot[bot] in #17685
• website/integrations: grafana: replace deprecated redirect_uris usage by allowed_redirect_uris by @TarQ1 in #17710
• ci: bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #17719
• ci: bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #17720
• web: bump the storybook group across 1 directory with 5 updates by @dependabot[bot] in #17715
• ci: bump astral-sh/setup-uv from 7.1.1 to 7.1.2 in /.github/actions/setup by @dependabot[bot] in #17718
• providers/oauth2: move encryption key field by @BeryJu in #17722
• enterprise: handle cached naive timezone by @BeryJu in #17695
• lifecycle: set search_path in system migrations by @BeryJu in #17721
• website/docs: update flow context ref by @BeryJu in #17723
• website/docs: finalise 2025.10 release notes by @BeryJu in #17728
• website/docs: fix placeholder leftover by @BeryJu in #17737
• root: update security.md's supported versions by @dominic-r in #17736
• web/a11y: Prefers more field contrast by @GirlBossRush in #17279
• root: Add Dockerfile label org.opencontainers.image.source by @Erwan-loot in #17756
• web: bump the sentry group across 1 directory with 2 updates by @dependabot[bot] in #17743
• providers/proxy: add gorm logging by @BeryJu in #17758
• providers/proxy: fix missing JWT/claims header by @BeryJu in #17759
• sources/oauth: Make PKCE verifier 128 characters by @alex9smith in #17763
• providers/radius: fix panic when no cert is configured by @BeryJu in #17762
• packages/django-postgres-cache: use upsert instead of select/update in a transaction by @rissson in #17760
• web: bump validator from 13.15.15 to 13.15.20 in /packages/eslint-config by @dependabot[bot] in #17742
• web: bump eslint-plugin-react-hooks from 7.0.0 to 7.0.1 in /packages/eslint-config in the eslint group across 1 directory by @dependabot[bot] in #17714
• website: bump validator from 13.15.15 to 13.15.20 in /website by @dependabot[bot] in #17741
• web: bump vite from 7.1.11 to 7.1.12 in /web by @dependabot[bot] in #17689
• core, web: update translations by @authentik-automation[bot] in #17660
• website: bump the build group in /website with 6 updates by @dependabot[bot] in #17712
  ...

Release 2025.8.5

See https://docs.goauthentik.io/docs/releases/2025.8#fixed-in-202585

What's Changed

• website/docs: developer docs: adjust sentence for writing docs (cherry-pick #17137 to version-2025.8) by @authentik-automation[bot] in #17142
• build(deps): bump django from 5.1.12 to 5.1.13 (cherry-pick #17198 to version-2025.8) by @authentik-automation[bot] in #17199
• packages/django-dramatiq-postgres: broker: fix task expiration (cherry-pick #17178 to version-2025.8) by @authentik-automation[bot] in #17217
• packages/django-dramatiq-postgres: fix error when updating task with no changes (cherry-pick #16728 to version-2025.8) by @authentik-automation[bot] in #17238
• tasks/middlewares/messages: make sure exceptions are always logged (cherry-pick #17237 to version-2025.8) by @authentik-automation[bot] in #17248
• core: fix absolute and relative path file uploads (cherry-pick #17269 to version-2025.8) by @authentik-automation[bot] in #17272
• web: Fix behavior for modals configured with closeAfterSuccessfulSubmit (cherry-pick #17277 to version-2025.8) by @authentik-automation[bot] in #17299
• lib/sync/outgoing: revert reduce number of db queries made (revert #14177) (cherry-pick #17306 to version-2025.8) by @authentik-automation[bot] in #17330
• blueprints: ensure tasks retry on database errors (cherry-pick #17333 to version-2025.8) by @authentik-automation[bot] in #17334
• web/admin: fix incorrect placeholder for scim provider (cherry-pick #17308 to version-2025.8) by @authentik-automation[bot] in #17309
• website/docs: add entra id scim source (cherry-pick #17357 to version-2025.8) by @authentik-automation[bot] in #17362
• website/docs: add email config section (cherry-pick #16727 to version-2025.8) by @authentik-automation[bot] in #17364
• website: add powershell syntax highlighting and bump package (cherry-pick #16683) by @authentik-automation[bot] in #16721
• website/docs: update SAML provider docs (cherry-pick #15887 to version-2025.8) by @authentik-automation[bot] in #17583
• ci: rework internal repo (#17797) by @BeryJu in #17830
• ci: fix migrate-from-stable for old versions by @BeryJu in #18018
• core: bump Django from 5.1.13 to 5.1.14 for 2025.8 by @melizeche in #17968
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18262
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18261
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18263
• website/docs: add 2025.8.5 and 2025.10.2 release notes (cherry-pick #18268 to version-2025.8) by @authentik-automation[bot] in #18269

Full Changelog: version/2025.8.4...version/2025.8.5