authentik version/2026.2.3 released on 12-05-2026
authentik version/2026.2.3 is out now. It applies important security fixes and dependency updates — including Django bumps and multiple automated backports — to address several CVEs and GHSA advisories and harden the platform.
See the release notes on the authentik documentation site or the full changelog on GitHub for details and upgrade guidance: https://docs.goauthentik.io/docs/releases/2026.2#fixed-in-202623 and https://github.com/goauthentik/authentik/compare/version/2026.2.3-rc1…version/2026.2.3
What’s in this release
- Security and dependency updates: core Django bumped from 5.2.12 to 5.2.13, root update to 5.2.14, plus multiple automated internal backports and security patches addressing CVEs and GHSA advisories.
- OAuth2 and provider fixes: corrected refresh_token_threshold time logic; allowed cross‑provider token introspection for federated providers; disabled automatic setting of redirect_uri; device authorization scopes are now clipped against the provider’s ScopeMapping.
- Reliability and backend fixes: endpoints tasks failures addressed; django-dramatiq-postgres now resets DB connections on connection errors and avoids stopping task processing on decode errors; expensive sync outgoing query optimised and RBAC migration ordering corrected to prevent breakage.
Upgrade notes
- Migration ordering: the RBAC migration ordering was corrected so migration 0056 must run before 0010 removes the group field — ensure database migrations are applied as described in the release notes.
- If a rollback is required, consult the full changelog and release notes on GitHub and the documentation for migration-related details before attempting a downgrade.
Share your experience after upgrading or report any issues via the project’s GitHub so maintainers and the community can follow up.
