Release 2026.2.0

See https://docs.goauthentik.io/docs/releases/2026.2

What's Changed

• root: bump version to 2026.2.0-rc1 by @authentik-automation[bot] in #18794
• tests/e2e: retry detached shadow roots by @melizeche in #18796
• website/release notes: Update v2025.12 release notes by @melizeche in #18797
• web/admin: fix read-only provider selection for application form by @dominic-r in #18768
• web: bump the react group across 1 directory with 2 updates by @dependabot[bot] in #18775
• web: bump chromedriver from 143.0.0 to 143.0.1 in /web by @dependabot[bot] in #18776
• web: bump the storybook group across 1 directory with 5 updates by @dependabot[bot] in #18774
• internal: don't warn on empty outpost for embedded by @BeryJu in #18786
• lifecycle/aws: bump aws-cdk from 2.1033.0 to 2.1034.0 in /lifecycle/aws by @dependabot[bot] in #18771
• core, web: update translations by @authentik-automation[bot] in #18804
• root: Add macOS support for sed in Makefile by @melizeche in #18795
• ci: bump astral-sh/setup-uv from 7.1.5 to 7.1.6 in /.github/actions/setup by @dependabot[bot] in #18826
• ci: bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #18824
• core: bump goauthentik/fips-debian from 07f41ce to c10cd2c by @dependabot[bot] in #18822
• ci: bump actions/download-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #18825
• ci: bump actions/cache from 5.0.0 to 5.0.1 by @dependabot[bot] in #18823
• core: list applications fix by @ryanpesek in #18798
• website/docs: add icon info to style guide by @dewi-tik in #18832
• core: remove superuser check from Token list by @gergosimonyi in #18684
• packages/django-dramatiq-postgres: broker: close django connections on consumer close by @rissson in #18833
• core: bump goauthentik.io/api/v3 from 3.2025120.26 to 3.2026020.1 by @dependabot[bot] in #18815
• admin/files: revert add check for /media existence (#18636) by @rissson in #18829
• website/docs: add jellyseer integration doc by @gabay in #18812
• crypto: Store details parsed from includeDetails in database instead by @PeshekDotDev in #18013
• core: skip s3 tests if endpoint isn't available by @melizeche in #18841
• admin/files: fix get_objects_for_user queryset argument in FileUsedByView by @dominic-r in #18845
• core: bump goauthentik/fips-debian from c10cd2c to 2f19fc1 by @dependabot[bot] in #18856
• ci: replace codecov test-results action by @BeryJu in #18862
• core: add skip s3_test_server_available to TestResolveFileUrlS3Backend by @melizeche in #18858
• rbac: alter migrated direct permission roles by @gergosimonyi in #18860
• core: bump library/golang from 5d35fb8 to 8e8f9c8 by @dependabot[bot] in #18855
• web/admin/rbac: misc object permission fixes by @gergosimonyi in #18859
• outposts: fix permission errors for related certificates by @BeryJu in #18861
• website/docs: adjust RBAC-related details in 2025.12 release notes by @gergosimonyi in #18863
• website/docs: Add docs for passkey autofill (WebauthN Conditional UI) by @melizeche in #18805
• website/docs: 2025.10.3 release notes by @BeryJu in #18868
• web: add custom message with links for empty data export list by @atereshkin in #18830
• web: fix notification counter by @atereshkin in #18781
• web: bump vite from 7.2.7 to 7.3.0 in /web by @dependabot[bot] in #18854
• stages/authenticator_*: fix code input field not string by @BeryJu in #18875
• web: fix file upload form by @dominic-r in #18808
• web/admin: endpoint: change wording and add helper text by @dewi-tik in #18871
• core, web: update translations by @authentik-automation[bot] in #18807
• website/integrations: bookstack: fix redir url by @dominic-r in #18891
• core: bump astral-sh/uv from 0.9.17 to 0.9.18 by @dependabot[bot] in #18898
• core: bump goauthentik/fips-debian from 2f19fc1 to 189345a by @dependabot[bot] in #18897
• web: bump knip from 5.73.3 to 5.74.0 in /web by @dependabot[bot] in #18896
• web: bump @types/node from 25.0.0 to 25.0.3 in /web by @dependabot[bot] in #18895
• web: bump the rollup group across 1 directory with 4 updates by @dependabot[bot] in #18852
• web: bump the bundler group across 1 directory with 7 updates by @dependabot[bot] in #18894
• web: bump @sentry/browser from 10.30.0 to 10.31.0 in /web in the sentry group across 1 directory by @dependabot[bot] in #18893
• lifecycle/aws: bump aws-cdk from 2.1034.0 to 2.1100.0 in /lifecycle/aws by @dependabot[bot] in #18850
• web: bump the goauthentik group across 1 directory with 3 updates by @dependabot[bot] in #18819
• web: bump the swc group across 1 directory with 11 updates by @dependabot[bot] in #18818
• web: bump the eslint group across 1 directory with 5 updates by @dependabot[bot] in #18851
• core: bump goauthentik.io/api/v3 from 3.2026020.1 to 3.2026020.3 by @dependabot[bot] in #18892
• tasks/middleware: close connections on worker status update database error by @rissson in #18881
• website/docs: added list of Int Guide contributors (also edited frontmatter) by @tanberry in #18888
• api: fix page_size with invalid query param by @rissson in #18879
• ci/release-tag: checkout correct branch for make test-docker by @rissson in #18880
• api: fix latest version for public schema by @BeryJu in #18902
• website/docs: 2025.12: remove superfluous changes by @rissson in #18910
• web/admin: reword some things on the device view page by @BeryJu in #18785
• core/groups: optimize prefetch queries to fetch only required fields by @joaocfernandes in #18448
• root: fix docker-compose data mount by @rissson in #18903
• web/admin: add UI copy to RBAC modal by @tanberry in #18917
• tests/e2e: handle StaleElementReferenceException in parse_json_content by @melizeche in #18842
• core: bump goauthentik/fips-debian from 189345a to 10dadf1 by @dependabot[bot] in #18927
• web: bump chromedriver from 143.0.1 to 143.0.2 in /web by @dependabot[bot] in #18926
• web: bump knip from 5.74.0 to 5.75.1 in /web by @dependabot[bot] in #18924
• core, web: update translations by @authentik-automation[bot] in #18920
• lifecycle/aws: bump aws-cdk from 2.1100.0 to 2.1100.1 in /lifecycle/aws by @dependabot[bot] in #18922
• web: bump the swc group across 1 directory with 11 updates by @dependabot[bot] in #18923
• web: bump the storybook group across 1 directory with 5 updates by @dependabot[bot] in #18817
• stages: remove more global state by @BeryJu in #18641
• packages/ak-guardian: cast safely by @gergosimonyi in #18929
• web/flow: Fix spurious double submit on ak-stage-autosubmit by @dminuoso i...

Release 2026.2.0-rc5

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• rbac: fix object permission request (cherry-pick #20304 to version-2026.2) by @authentik-automation[bot] in #20366
• web: Flow Executor layout fixes (cherry-pick #20134 to version-2026.2) by @authentik-automation[bot] in #20331
• enterprise/providers/ws_federation: fix incorrect metadata download URL (cherry-pick #20173 to version-2026.2) by @authentik-automation[bot] in #20365
• website/docs: Fix broken link to flow executor (cherry-pick #20364 to version-2026.2) by @authentik-automation[bot] in #20370
• core: add cause to ak_groups deprecation event and logs (cherry-pick #20361 to version-2026.2) by @authentik-automation[bot] in #20368
• website/docs: correct reference to overriden S3 variable (cherry-pick #20156 to version-2026.2) by @authentik-automation[bot] in #20378
• web/admin: bug: stage update forms not rendering, several modal form buttons missing (cherry-pick #20373 to version-2026.2) by @authentik-automation[bot] in #20394
• enterprise/providers/microsoft_entra: fix dangling comma (cherry-pick #20391 to version-2026.2) by @authentik-automation[bot] in #20395
• ci: pull latest changes before tagging new version (cherry-pick #20413 to version-2026.2) by @rissson in #20414
• enterprise/providers/microsoft_entra: only check upn when set (cherry-pick #20441 to version-2026.2) by @authentik-automation[bot] in #20442
• stages/user_login: log correct user when session binding is broken (cherry-pick #20094 to version-2026.2) by @authentik-automation[bot] in #20453
• enterprise: monkey patch pyjwt to accept mismatching key (cherry-pick #20402 to version-2026.2) by @authentik-automation[bot] in #20474
• enterprise/lifecycle: use datetime instead of date to track review cycles (cherry-pick #20283 to version-2026.2) by @authentik-automation[bot] in #20473
• policies: measure policy process from manager (cherry-pick #20477 to version-2026.2) by @authentik-automation[bot] in #20481
• providers/proxy: preserve URL-encoded path characters in redirect (cherry-pick #20476 to version-2026.2) by @authentik-automation[bot] in #20482
• web: Center footer links. (cherry-pick #20345 to version-2026.2) by @authentik-automation[bot] in #20425
• website/docs: add info about make install and recovery key (cherry-pick #20447 to version-2026.2) by @authentik-automation[bot] in #20486
• providers/oauth2: device code flow client id via auth header (cherry-pick #20457 to version-2026.2) by @authentik-automation[bot] in #20503

Full Changelog: version/2026.2.0-rc4...version/2026.2.0-rc5

Release 2026.2.0-rc4

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• website/docs: add okta source doc (cherry-pick #20296 to version-2026.2) by @authentik-automation[bot] in #20335
• website/docs: rac: update rac provider docs (cherry-pick #20225 to version-2026.2) by @authentik-automation[bot] in #20337
• website/docs, integrations: fix language (cherry-pick #20338 to version-2026.2) by @authentik-automation[bot] in #20347
• ci: fix setup altering package-lock (cherry-pick #20348 to version-2026.2) by @rissson in #20356
• web: revert package-lock.json by tag workflow by @gergosimonyi in #20349

Full Changelog: version/2026.2.0-rc3...version/2026.2.0-rc4

Release 2026.2.0-rc3

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• website/docs: 2025.10.4 release notes (cherry-pick #20242 to version-2026.2) by @authentik-automation[bot] in #20251
• website/docs: 2025.12.4 release notes (cherry-pick #20226 to version-2026.2) by @authentik-automation[bot] in #20253
• website/docs: 2025.8.6 release notes (cherry-pick #20243 to version-2026.2) by @authentik-automation[bot] in #20257
• website/docs: draft of new WS-Fed provider docs (cherry-pick #20091 to version-2026.2) by @authentik-automation[bot] in #20262
• ci: fix binary outpost build on release (cherry-pick #20248 to version-2026.2) by @rissson in #20279
• enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (cherry-pick #20266 to version-2026.2) by @authentik-automation[bot] in #20278
• web: add pretty names for lifecycle review events in event logs (cherry-pick #20264 to version-2026.2) by @authentik-automation[bot] in #20268
• website/docs: Custom CSS (cherry-pick #19991 to version-2026.2) by @authentik-automation[bot] in #20287
• stage/identification: recovery: make wording more generic (cherry-pick #20209 to version-2026.2) by @authentik-automation[bot] in #20293
• web: fix italic formatting in lifecycle rule help text (cherry-pick #20263 to version-2026.2) by @authentik-automation[bot] in #20267
• website/docs: add affine to release notes (cherry-pick #20299 to version-2026.2) by @authentik-automation[bot] in #20308
• root: do not rely on npm cli for version bump (cherry-pick #20276 to version-2026.2) by @authentik-automation[bot] in #20321

Full Changelog: version/2026.2.0-rc2...version/2026.2.0-rc3

Release 2025.8.6

See https://docs.goauthentik.io/docs/releases/2025.8#fixed-in-202586

What's Changed

• website/docs: Remove stale 2024 version directives (cherry-pick #19888 to version-2025.8) by @authentik-automation[bot] in #20021
• root: update client-go generation (cherry-pick #19762 and #19906 to version-2025.8) by @rissson in #19934
• website/docs: generate CVE sidebar (cherry-pick #20098 to version-2025.8) by @authentik-automation[bot] in #20099
• security: CVE-2026-25922 (2025.8) by @authentik-automation[bot] in #20235
• security: CVE-2026-25748 (2025.8) by @authentik-automation[bot] in #20234
• security: CVE-2026-25227 (2025.8) by @authentik-automation[bot] in #20233

Full Changelog: version/2025.8.5...version/2025.8.6

Release 2025.12.4

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025124

What's Changed

• website/docs: Add changes in 2025.12.2 and 2025.12.3 to the release notes (cherry-pick #19949 to version-2025.12) by @authentik-automation[bot] in #19950
• web/admin: fix default binding order (cherry-pick #19943 to version-2025.12) by @authentik-automation[bot] in #19945
• providers/oauth2: use compare_digest for client_secret comparison (cherry-pick #19979 to version-2025.12) by @authentik-automation[bot] in #19987
• recovery: consume token in transaction (cherry-pick #19967 to version-2025.12) by @authentik-automation[bot] in #19986
• core: bump django from 5.2.10 to 5.2.11 (cherry-pick #19988 to version-2025.12) by @authentik-automation[bot] in #19992
• outposts: fix docker_tls created files permission (cherry-pick #19978 to version-2025.12) by @authentik-automation[bot] in #19993
• website/docs: fix typos (cherry-pick #20000 to version-2025.12) by @authentik-automation[bot] in #20010
• website/docs: endpoint devices: more updates (cherry-pick #19971 to version-2025.12) by @authentik-automation[bot] in #20014
• website/docs: endpoint devices: specify name and slug (cherry-pick #20016 to version-2025.12) by @authentik-automation[bot] in #20025
• website/docs: endpoint devices: fix non debian wording (cherry-pick #20046 to version-2025.12) by @authentik-automation[bot] in #20048
• docs: add instructions for configuring rp-initiated single logout (cherry-pick #20040 to version-2025.12) by @authentik-automation[bot] in #20055
• website: QL Search keyboard interactions docs, examples. (cherry-pick #16259 to version-2025.12) by @authentik-automation[bot] in #20056
• website/docs: automated install: mention no file:// vars (cherry-pick #20043 to version-2025.12) by @authentik-automation[bot] in #20062
• outpost/proxyv2: revalidate auth if session fails to load (cherry-pick #18063 to version-2025.12) by @authentik-automation[bot] in #20059
• website/docs: capturing outpost logs (cherry-pick #20045 to version-2025.12) by @authentik-automation[bot] in #20053
• website/docs: endpoint devices: update device authentication location (cherry-pick #20049 to version-2025.12) by @authentik-automation[bot] in #20051
• website/docs: generate CVE sidebar (cherry-pick #20098 to version-2025.12) by @authentik-automation[bot] in #20101
• sources/oauth: Fix InvalidAudienceError in id_token fallback (cherry-pick #20096 to version-2025.12) by @authentik-automation[bot] in #20122
• website/docs: add email verification scope doc (cherry-pick #20141 to version-2025.12) by @authentik-automation[bot] in #20205
• website/docs: rac: fixes the property mapping formatting (cherry-pick #20200 to version-2025.12) by @authentik-automation[bot] in #20202
• website/docs: ssf: update SSF documentation (cherry-pick #20195 to version-2025.12) by @authentik-automation[bot] in #20210
• security: CVE-2026-25922 (2025.12) by @authentik-automation[bot] in #20232
• security: CVE-2026-25748 (2025.12) by @authentik-automation[bot] in #20231
• security: CVE-2026-25227 (2025.12) by @authentik-automation[bot] in #20230
• web: updated package-lock.json to include missing tree-sitter references (cherry-pick #20244 to version-2025.12) by @rissson in #20245

Full Changelog: version/2025.12.3...version/2025.12.4

Release 2025.10.4

See See https://docs.goauthentik.io/docs/releases/2025.10#fixed-in-2025104

What's Changed

• web/flow: Fix spurious double submit on ak-stage-autosubmit (cherry-pick #18727 to version-2025.10) by @authentik-automation[bot] in #18932
• website/docs: add note to active directory source doc (cherry-pick #18787 to version-2025.10) by @authentik-automation[bot] in #18965
• website/docs: Backport version picker updates. (cherry-pick #18964 to version-2025.10) by @authentik-automation[bot] in #18974
• web/admin: fix dark theme on map (cherry-pick #18985 to version-2025.10) by @authentik-automation[bot] in #18986
• web/admin: Fix haveibeenpwned link in PasswordPolicyForm (cherry-pick #18984 to version-2025.10) by @authentik-automation[bot] in #18988
• core: use chunked_queryset for expired message deletion (cherry-pick #19028 to version-2025.10) by @authentik-automation[bot] in #19030
• internal: update TLS Suite (cherry-pick #19076 to version-2025.10) by @authentik-automation[bot] in #19077
• website/docs: fix build (cherry-pick #19148 to version-2025.10) by @authentik-automation[bot] in #19150
• web: fix slug auto-updating when editing existing applications (cherry-pick #19169 to version-2025.10) by @authentik-automation[bot] in #19172
• core: fix read replica routing during transactions (cherry-pick #19086 to version-2025.10) by @authentik-automation[bot] in #19240
• web/admin: add banner to flow import form (cherry-pick #19288 to version-2025.10) by @authentik-automation[bot] in #19292
• website/docs: update entra id provider docs (cherry-pick #18366 to version-2025.10) by @authentik-automation[bot] in #19255
• website/docs: Fix typo in GitHub OAuth Source instructions (cherry-pick #18936 to version-2025.10) by @authentik-automation[bot] in #19321
• website/docs: Fix documentation example for app_entitlements_attributes. (cherry-pick #19316 to version-2025.10) by @authentik-automation[bot] in #19325
• website/docs: update m2m doc (cherry-pick #18963 to version-2025.10) by @authentik-automation[bot] in #19323
• website/docs: update LDAP provider docs (cherry-pick #18272 to version-2025.10) by @authentik-automation[bot] in #19344
• web/elements: hidden secrets not propagating (cherry-pick #19029 to version-2025.10) by @authentik-automation[bot] in #19376
• outpost/proxyv2: fix stale session cookie causing 400 error in createState (cherry-pick #19026 to version-2025.10) by @authentik-automation[bot] in #19374
• internal: rework liveness probe and proxy (cherry-pick #19312 to version-2025.10) by @authentik-automation[bot] in #19383
• website/docs: update gws provider docs (cherry-pick #18286 to version-2025.10) by @authentik-automation[bot] in #19399
• website/docs: add import to discord policy (cherry-pick #19397 to version-2025.10) by @authentik-automation[bot] in #19405
• website/docs: mention dynamic overrides in redirect stage documentation (cherry-pick #19368 to version-2025.10) by @authentik-automation[bot] in #19401
• website/docs: limiting permissions of AD service account (cherry-pick #19483 to version-2025.10) by @authentik-automation[bot] in #19488
• providers/oauth2: add logout+jwt token type for oidc logout token. (cherry-pick #19554 to version-2025.10) by @authentik-automation[bot] in #19674
• internal: fix incorrect metric calculation (cherry-pick #19701 to version-2025.10) by @authentik-automation[bot] in #19702
• core: return bad request when user is authenticated and not active (cherry-pick #19706 to version-2025.10) by @authentik-automation[bot] in #19709
• web/admin: fix impersonation form requesting data without being opened (cherry-pick #19673 to version-2025.10) by @authentik-automation[bot] in #19711
• web/sfe: downgrade bootstrap, add access denied test (cherry-pick #19763 to version-2025.10) by @authentik-automation[bot] in #19764
• website/docs: fix Transifex link in translation guide (cherry-pick #19735 to version-2025.10) by @authentik-automation[bot] in #19770
• root: update client-go generation (cherry-pick #19762 and #19906 to version-2025.10) by @rissson in #19933
• recovery: consume token in transaction (cherry-pick #19967 to version-2025.10) by @authentik-automation[bot] in #19981
• providers/oauth2: use compare_digest for client_secret comparison (cherry-pick #19979 to version-2025.10) by @authentik-automation[bot] in #19982
• website/docs: Remove stale 2024 version directives (cherry-pick #19888 to version-2025.10) by @authentik-automation[bot] in #20022
• docs: add instructions for configuring rp-initiated single logout (cherry-pick #20040 to version-2025.10) by @authentik-automation[bot] in #20054
• core: bump django from v5.2.8 to 5.2.11 (version-2025.10) by @melizeche in #20020
• outpost/proxyv2: revalidate auth if session fails to load (cherry-pick #18063 to version-2025.10) by @authentik-automation[bot] in #20058
• website/docs: generate CVE sidebar (cherry-pick #20098 to version-2025.10) by @authentik-automation[bot] in #20100
• outpost/proxyv2: reduce max number of postgres connections (cherry-pick #19211 to version-2025.10) by @authentik-automation[bot] in #20139
• website/docs: add email verification scope doc (cherry-pick #20141 to version-2025.10) by @authentik-automation[bot] in #20204
• website/docs: rac: fixes the property mapping formatting (cherry-pick #20200 to version-2025.10) by @authentik-automation[bot] in #20201
• security: CVE-2026-25922 (2025.10) by @authentik-automation[bot] in #20229
• security: CVE-2026-25748 (2025.10) by @authentik-automation[bot] in #20228
• security: CVE-2026-25227 (2025.10) by @authentik-automation[bot] in #20227
• web: updated package-lock.json to include missing tree-sitter references. by @kensternberg-authentik in #20247

Full Changelog: version/2025.10.3...version/2025.10.4

Release 2026.2.0-rc2

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• website/docs: rac: fixes the property mapping formatting (cherry-pick #20200 to version-2026.2) by @authentik-automation[bot] in #20203
• website/docs: add email verification scope doc (cherry-pick #20141 to version-2026.2) by @authentik-automation[bot] in #20206
• website/docs: ssf: update SSF documentation (cherry-pick #20195 to version-2026.2) by @authentik-automation[bot] in #20211
• ci: fix release testing (cherry-pick #20207 to version-2026.2) by @rissson in #20224
• security: CVE-2026-25922 (2026.2) by @authentik-automation[bot] in #20238
• security: CVE-2026-25748 (2026.2) by @authentik-automation[bot] in #20237
• security: CVE-2026-25227 (2026.2) by @authentik-automation[bot] in #20236
• web: updated package-lock.json to include missing tree-sitter references (cherry-pick #20244 to version-2026.2) by @rissson in #20246

Full Changelog: version/2026.2.0-rc1...version/2026.2.0-rc2

Release 2026.2.0-rc1

See https://next.goauthentik.io/docs/releases/2026.2

What's Changed

• admin: system api: fix FIPS status schema by @rissson in #10110
• website/docs: Specify Synology DSM Account type to use by @jannickfahlbusch in #10111
• web: bump API Client version by @authentik-automation[bot] in #10113
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10109
• website/docs: add more info about multiple replicas by @tanberry in #10117
• policies/reputation: fix existing reputation update by @rissson in #10124
• stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs by @authentik-automation[bot] in #10119
• translate: Updates for file web/xliff/en.xlf in zh_CN by @transifex-integration[bot] in #10120
• translate: Updates for file web/xliff/en.xlf in zh-Hans by @transifex-integration[bot] in #10121
• core, web: update translations by @authentik-automation[bot] in #10118
• core: bump goauthentik.io/api/v3 from 3.2024042.11 to 3.2024042.13 by @dependabot[bot] in #10134
• core: bump ruff from 0.4.8 to 0.4.9 by @dependabot[bot] in #10128
• core, web: update translations by @authentik-automation[bot] in #10127
• core: bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot[bot] in #10133
• web: bump chromedriver from 126.0.0 to 126.0.1 in /tests/wdio by @dependabot[bot] in #10136
• core: bump github.com/gorilla/sessions from 1.2.2 to 1.3.0 by @dependabot[bot] in #10135
• web: bump @patternfly/elements from 3.0.1 to 3.0.2 in /web by @dependabot[bot] in #10132
• website: bump react-tooltip from 5.26.4 to 5.27.0 in /website by @dependabot[bot] in #10129
• web: fix early modal stack depletion by @kensternberg-authentik in #10068
• website/integations/services: Slack integration docs by @tanberry in #9933
• core: include version in built JS files by @BeryJu in #9558
• web: fix needed because recent upgrade to task breaks spinner button by @kensternberg-authentik in #10142
• web: bump ws from 8.16.0 to 8.17.1 in /web by @dependabot[bot] in #10149
• web: bump the storybook group in /web with 7 updates by @dependabot[bot] in #10147
• ci: bump docker/build-push-action from 5 to 6 by @dependabot[bot] in #10144
• core: bump urllib3 from 2.2.1 to 2.2.2 by @dependabot[bot] in #10143
• root: use custom model serializer that saves m2m without bulk by @BeryJu in #10139
• root: makefile: add codespell to make website by @rissson in #10116
• web: fix docker build for non-release versions by @rissson in #10154
• website/integrations: gitlab: better service description by @dominic-r in #9923
• website/docs: Describe where to apply the auto setup env vars by @m1212e in #9863
• website/integrations: jellyfin: add OIDC configuration by @Redlonghead in #9538
• web: bump the wdio group in /tests/wdio with 4 updates by @dependabot[bot] in #10160
• web: bump chromedriver from 126.0.1 to 126.0.2 in /tests/wdio by @dependabot[bot] in #10161
• core: bump twilio from 9.1.1 to 9.2.0 by @dependabot[bot] in #10162
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10167
• website/docs: 2024.6 release notes: add note about group names by @rissson in #10170
• core: fix error when raising SkipObject in mapping by @BeryJu in #10153
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10174
• website/docs: update template reference by @emmanuel-ferdman in #10166
• web: bump @sentry/browser from 8.9.2 to 8.10.0 in /web in the sentry group by @dependabot[bot] in #10185
• core: bump google-api-python-client from 2.133.0 to 2.134.0 by @dependabot[bot] in #10183
• web: bump glob from 10.4.1 to 10.4.2 in /web by @dependabot[bot] in #10163
• core: rework base for SkipObject exception to better support control flow exceptions by @BeryJu in #10186
• website/docs: Remove hyphen in read replica in Release Notes by @tanberry in #10178
• website/docs: Fix nginx proxy_pass directive documentation by @fotinakis in #10181
• core: bump selenium from 4.21.0 to 4.22.0 by @dependabot[bot] in #10194
• core: bump ruff from 0.4.9 to 0.4.10 by @dependabot[bot] in #10193
• web: bump typescript from 5.4.5 to 5.5.2 in /tests/wdio by @dependabot[bot] in #10192
• web: bump typescript from 5.4.5 to 5.5.2 in /web by @dependabot[bot] in #10191
• website: bump typescript from 5.4.5 to 5.5.2 in /website by @dependabot[bot] in #10190
• web: bump @sentry/browser from 8.10.0 to 8.11.0 in /web in the sentry group by @dependabot[bot] in #10204
• web: bump chromedriver from 126.0.2 to 126.0.3 in /tests/wdio by @dependabot[bot] in #10203
• core: bump twilio from 9.2.0 to 9.2.1 by @dependabot[bot] in #10202
• core: bump coverage from 7.5.3 to 7.5.4 by @dependabot[bot] in #10201
• web/flows: update flow background by @BeryJu in #10206
• website/docs: fix #9552 openssl rand base64 line wrap by @jogerj in #10211
• website/integrations: fix typo in documentation for OIDC setup with Paperless-ngx by @rwh85 in #10218
• security: fix CVE-2024-38371 by @BeryJu in #10229
• security: fix CVE-2024-37905 by @BeryJu in #10230
• core: bump debugpy from 1.8.1 to 1.8.2 by @dependabot[bot] in #10225
• web: bump @sentry/browser from 8.11.0 to 8.12.0 in /web in the sentry group by @dependabot[bot] in #10226
• core: bump webauthn from 2.1.0 to 2.2.0 by @dependabot[bot] in #10224
• web: bump chromedriver from 126.0.3 to 126.0.4 in /tests/wdio by @dependabot[bot] in #10223
• core: bump pdoc from 14.5.0 to 14.5.1 by @dependabot[bot] in #10221
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10228
• website/docs: update 2024.2 release notes with security fixes by @rissson in #10232
• website/docs: update 2024.4 release notes with latest changes by @rissson in #10231
• website/docs: update 2024.6 release notes with latest changes (cherry-pick #10228) by @gcp-cherry-pick-bot[bot] in #10243
• website/docs: remove RC disclaimer from 2024.6 release notes by @rissson in #10245
• website/docs: remove RC disclaimer from 2024.6 release notes (cherry-pick #10245) by @gcp-cherry-pick-bot[bot] in #10246
• security: update supported versions by @rissson in #10247
• security: update supported versions (cherry-pick #10247) by @gcp-cherry-pick-bot[bot] in #10248
• website/docs: update geoip and asn example to use the proper syntax by @rissson in #10249
• website/docs: update the Welcome page by @tanberry in #10222
• website/docs: update geoip and asn example to use the proper syntax (cherry-pick #10249) by @gcp-cherry-pick-bot[bot] in #10250
• web: bump API Client versio...

Release 2025.12.3

See https://docs.goauthentik.io/docs/releases/2025.12#fixed-in-2025123

What's Changed

• 2025.12: Revert bulk revoke added by accident in release branch by @dominic-r in #19870
• web/admin: fix toggle-group for bindings now showing up (cherry-pick #19820 to version-2025.12) by @authentik-automation[bot] in #19895
• website/docs: Remove stale 2024 version directives (cherry-pick #19888 to version-2025.12) by @authentik-automation[bot] in #19899
• web: fix Brand CSS not applied to nested Shadow DOM components (cherry-pick #19892 to version-2025.12) by @authentik-automation[bot] in #19900
• ci: always generate API clients (#19906) by @BeryJu in #19932
• lifecycle/ak: make sure /data has the correct permissions (cherry-pick #19935 to version-2025.12) by @authentik-automation[bot] in #19940
• lifecycle/aws: add /data volume (cherry-pick #19936 to version-2025.12) by @authentik-automation[bot] in #19938
• website/docs: Update location of media storage and outdated references (cherry-pick #19885 to version-2025.12) by @authentik-automation[bot] in #19937
• core: fix non-expiring service accounts and app passwords (cherry-pick #19913 to version-2025.12) by @authentik-automation[bot] in #19941

Full Changelog: version/2025.12.2...version/2025.12.3