Authelia v4.39.20 released on 26-05-2026

Authelia v4.39.20 is out now. It fixes two security advisories (domain-matching canonicalisation and Basic Auth username canonicalisation for LDAP) and tightens authorization, session, storage and metrics behaviour, so operators should consider this an important security and stability update.
See the project’s GitHub release page for the full changelog, advisory details and download options; Docker images are published for immediate use.
What’s in this release
- Security fixes for two advisories: GHSA-j748-h363-wqj8 (domain-matching canonicalisation edge case) and GHSA-hjj4-hfjm-fmrj (missing Basic Auth username canonicalisation with LDAP).
- Authorization and handler fixes including case-insensitive domain matching for access control rules, proper handling of OAuth2 client-credentials, Basic Auth username canonicalisation and hoisted issuer checks for token validation.
- Storage, session and metrics hardening: more robust one-time code consumption, correct auth-code queries by request ID, a startup check for session backend connectivity, improved metrics registration and rate-limit exclusions.
Upgrade notes
- No breaking changes are listed in the release notes; users are strongly encouraged to update promptly because this release addresses important security issues. Docker images: docker pull authelia/authelia:4.39.20 and docker pull ghcr.io/authelia/authelia:4.39.20.
- If a rollback is required, follow your normal container rollback procedures (restore the previously pinned image tag and configuration).
Share feedback or operational notes on your upgrade experience so others can learn from any quirks encountered.


