authentik version/2026.2.3 released on 12-05-2026
authentik version/2026.2.3 is out now. It bundles security updates and dependency bumps, a set of OAuth2, device-auth and federation fixes, reliability improvements for background tasks and database interactions, UI and documentation updates, and a number of miscellaneous bug fixes.
See the project’s release notes and the full changelog on GitHub or the official documentation for complete details and upgrade instructions.
What’s in this release
- Security and dependency updates: core Django bumped from 5.2.12 to 5.2.13 and root updated to 5.2.14, plus automated internal backports addressing several CVEs and GHSA advisories (including CVE-2026-42849, CVE-2026-41577, CVE-2026-41569, CVE-2026-40172, CVE-2026-40166 and CVE-2026-40165).
- OAuth2, device auth and federation fixes: cross-provider token introspection allowed for federated providers; device authorization scopes clipped to the provider’s ScopeMapping; corrected refresh_token_threshold time logic; redirect_uri is no longer auto-set; documentation and social-login titles cleaned up.
- Reliability, UI and misc fixes: endpoint task failures addressed; django-dramatiq-postgres now resets DB connections and broker decoding errors no longer stop task processing; expensive outgoing-sync page-count queries avoided; a single-page UI guide and documentation clarifications added; plus fixes such as RADIUS message authenticator validation, app-entitlement search, RBAC migration ordering and tenant flag presentation.
Upgrade notes
- Note the RBAC migration ordering change: migration 0056 is ensured to run before the removal of a group field (check migration ordering if you maintain custom workflows).
- No rollback-specific instructions are included in the release notes; consult the full changelog and the GitHub release notes before downgrading.
Share your experience after upgrading or report any issues on the project’s GitHub so others can benefit from your notes.
