Authelia v4.39.20 released on 26-05-2026

Authelia v4.39.20 is out now. It includes important security fixes and several hardening and reliability changes, so users are strongly encouraged to update promptly.
See the release notes on the project’s GitHub for full details and pull the official Docker images authelia/authelia:4.39.20 or ghcr.io/authelia/authelia:4.39.20 for deployment.
What’s in this release
- Security fixes addressing an edge-case access-control domain matching issue (lack of canonicalization) and missing username canonicalization in Basic Auth when using LDAP; both reported by the community and fixed by core contributors.
- Authorization and handler hardening: case-insensitive domain matching to prevent bypasses, Basic Auth username canonicalization, OAuth2 client credentials no longer treated as anonymous, and hoisted issuer checks for stronger validation.
- Stability and configuration fixes: hardened one-time code consumption, corrected auth-code query by request ID, a session startup check for backend connectivity, metrics fixes, FreeIPA default attributes added and various configuration/documentation corrections.
Upgrade notes
- No breaking changes are listed in the release notes, but check LDAP bind mode and any FreeIPA-related settings before upgrading and test changes in a staging environment where possible.
- There are no release-specific rollback instructions; if you need to revert, use your normal rollback process (for example, redeploy the previous image/tag you were running).
Share any feedback or issues on the project’s GitHub so the maintainers and community can follow up on your experience.


