authentik version/2026.5.2 released on 28-05-2026

authentik version/2026.5.2 is out now. Operators on the 2026.5 branch should treat it as a security maintenance update that backports multiple security patches and updates release version metadata, while also addressing stability and interoperability issues.
See the release notes on the authentik documentation and the full changelog on GitHub for detailed information and upgrade instructions: https://docs.goauthentik.io/docs/releases/2026.5#fixed-in-202652 and https://github.com/goauthentik/authentik/compare/version/2026.5.0…version/2026.5.2
What’s in this release
- Automated security backports for GHSA-c3m2-jqmq-pvp3, GHSA-wr38-7xg8-fqxr and GHSA-xp7f-xjjx-gwm8, plus an update to security release version metadata.
- Database and certificate handling fixes in packages/ak-common/db to prevent connection pool spinning caused by conn_max_age and to accept file paths for certificate options.
- Provider and connector fixes: SSH hostkey lookup for federated auth in the agent connector, EAP debug logging fix for the RADIUS provider, OAuth2 session decode fix when upgrading from 2026.2, and last_updated handling corrected for OAuth interactive in the SCIM enterprise provider.
Upgrade notes
- No breaking changes are listed in the release notes; treat this as a security maintenance update and follow the linked changelog and docs for upgrade steps.
- If you must roll back, revert to the previous 2026.5 state (see the full changelog compare for diffs) and follow your normal deployment rollback procedure.
Share any feedback or report issues on the project’s GitHub so maintainers and other users can see how these fixes behave in the wild.


