Authelia | v4.39.20

Authelia v4.39.20 released on 26-05-2026


Authelia v4.39.20 is out now. It fixes two security advisories (domain-matching canonicalisation and Basic Auth username canonicalisation for LDAP) and tightens authorization, session, storage and metrics behaviour, so operators should consider this an important security and stability update.

See the project’s GitHub release page for the full changelog, advisory details and download options; Docker images are published for immediate use.

What’s in this release

  • Security fixes for two advisories: GHSA-j748-h363-wqj8 (domain-matching canonicalisation edge case) and GHSA-hjj4-hfjm-fmrj (missing Basic Auth username canonicalisation with LDAP).
  • Authorization and handler fixes including case-insensitive domain matching for access control rules, proper handling of OAuth2 client-credentials, Basic Auth username canonicalisation and hoisted issuer checks for token validation.
  • Storage, session and metrics hardening: more robust one-time code consumption, correct auth-code queries by request ID, a startup check for session backend connectivity, improved metrics registration and rate-limit exclusions.

Upgrade notes

  • No breaking changes are listed in the release notes; users are strongly encouraged to update promptly because this release addresses important security issues. Docker images: docker pull authelia/authelia:4.39.20 and docker pull ghcr.io/authelia/authelia:4.39.20.
  • If a rollback is required, follow your normal container rollback procedures (restore the previously pinned image tag and configuration).

Share feedback or operational notes on your upgrade experience so others can learn from any quirks encountered.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes