See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• tests/e2e: handle StaleElementReferenceException in parse_json_content (cherry-pick #18842 to version-2025.12) by @authentik-automation[bot] in #18919
• packages/ak-guardian: cast safely (cherry-pick #18929 to version-2025.12) by @authentik-automation[bot] in #18931
• web/flow: Fix spurious double submit on ak-stage-autosubmit (cherry-pick #18727 to version-2025.12) by @authentik-automation[bot] in #18933
• stages/identification: replace sleep with make_password (cherry-pick #18883 to version-2025.12) by @authentik-automation[bot] in #18943
• website/docs: endpoint devices (cherry-pick #18634 to version-2025.12) by @authentik-automation[bot] in #18946
• website/docs: release notes: add endpoint device links to 2025.12 notes (cherry-pick #18940 to version-2025.12) by @authentik-automation[bot] in #18947
• web/elements: progress-bar and table loading header (cherry-pick #18934 to version-2025.12) by @authentik-automation[bot] in #18939
• website/docs: add note to active directory source doc (cherry-pick #18787 to version-2025.12) by @authentik-automation[bot] in #18966
• web/admin: add UI copy to RBAC modal (cherry-pick #18917 to version-2025.12) by @authentik-automation[bot] in #18962
• website/docs: Backport version picker updates. by @GirlBossRush in #18964
• web/admin: fix endpoints user binding (cherry-pick #18935 to version-2025.12) by @authentik-automation[bot] in #18952
• web/admin: fix dark theme on map (cherry-pick #18985 to version-2025.12) by @authentik-automation[bot] in #18987
• web/admin: Fix haveibeenpwned link in PasswordPolicyForm (cherry-pick #18984 to version-2025.12) by @authentik-automation[bot] in #18989
• enterprise/reports: improve export list, confirmation (cherry-pick #18981 to version-2025.12) by @authentik-automation[bot] in #19010
• website/docs: improve endpoint devices docs (cherry-pick #19007 to version-2025.12) by @authentik-automation[bot] in #19012
• enterprise/search: add static autocomplete structure (cherry-pick #19008 to version-2025.12) by @authentik-automation[bot] in #19011
• web: fix Open button selecting row instead of navigating (cherry-pick #18992 to version-2025.12) by @authentik-automation[bot] in #19003
• web/admin: prevent file upload attempt when backend not managed (cherry-pick #18646 to version-2025.12) by @authentik-automation[bot] in #19021
• website/docs: Prioritize "Release Candidate" over "Current Release" (cherry-pick #18975 to version-2025.12) by @authentik-automation[bot] in #19022
• ci: ensure disk space is available by @BeryJu in #19025
• web: Locale selector UI fixes (cherry-pick #18972 to version-2025.12) by @authentik-automation[bot] in #19027
• core: use chunked_queryset for expired message deletion (cherry-pick #19028 to version-2025.12) by @authentik-automation[bot] in #19031
• events: notifications live update (cherry-pick #18980 to version-2025.12) by @authentik-automation[bot] in #18990
• lib/sync: fix sync_dispatch (cherry-pick #19053 to version-2025.12) by @authentik-automation[bot] in #19056
• endpoints/devices: cleanup (cherry-pick #19047 to version-2025.12) by @authentik-automation[bot] in #19057
• blueprints: fix flaky tests (cherry-pick #19002 to version-2025.12) by @authentik-automation[bot] in #19059
• blueprints: fix deadlock and task context error in MetaApplyBlueprint (cherry-pick #19033 to version-2025.12) by @authentik-automation[bot] in #19068
• blueprints: set enrollment token key (cherry-pick #19061 to version-2025.12) by @authentik-automation[bot] in #19062
• internal: update TLS Suite (cherry-pick #19076 to version-2025.12) by @authentik-automation[bot] in #19078
• web/admin: fix button alignment on user view page (cherry-pick #19079 to version-2025.12) by @authentik-automation[bot] in #19081
• docs/release notes: update 2025.12 release notes (cherry-pick #19043 to version-2025.12) by @authentik-automation[bot] in #19046
• website/docs: rel notes .12: add wallos (cherry-pick #19063 to version-2025.12) by @authentik-automation[bot] in #19096
• website/docs: endpoint devices: update features table (cherry-pick #19094 to version-2025.12) by @authentik-automation[bot] in #19098
• web/admin: use consistent icon for inactive user status (cherry-pick #19032 to version-2025.12) by @authentik-automation[bot] in #19035
• website/docs: endpoint devices: add path to macos setup (cherry-pick #19093 to version-2025.12) by @authentik-automation[bot] in #19099
• website/docs: endpoints: mention connector key required for stage to work (cherry-pick #19084 to version-2025.12) by @authentik-automation[bot] in #19095
• website/docs: release notes: Add more integrations (cherry-pick #19109 to version-2025.12) by @authentik-automation[bot] in #19115
• web: Fix Impersonation, Lit Reactive Controller Contexts (cherry-pick #19114 to version-2025.12) by @authentik-automation[bot] in #19117
• web: Fix stale flow background (cherry-pick #19015 to version-2025.12) by @authentik-automation[bot] in #19101
• web: fix file search input not resetting results properly (cherry-pick #19034 to version-2025.12) by @authentik-automation[bot] in #19075
• web: Capitalize language display names, code owner fix (cherry-pick #19119 to version-2025.12) by @authentik-automation[bot] in #19122
• website/docs: fix build (cherry-pick #19148 to version-2025.12) by @authentik-automation[bot] in #19151
• web/user: fix consent delete form missing details (cherry-pick #19147 to version-2025.12) by @authentik-automation[bot] in #19156
• web: Token Form Fixes (cherry-pick #19121 to version-2025.12) by @authentik-automation[bot] in #19153
• website/docs: endpoint agent release notes (cherry-pick #19042 to version-2025.12) by @authentik-automation[bot] in #19146
• web: fix slug auto-updating when editing existing applications (cherry-pick #19169 to version-2025.12) by @authentik-automation[bot] in #19173
• website/docs: remove duplicates in slo docs (cherry-pick #19170 to version-2025.12) by @authentik-automation[bot] in #19177
• lifecycle: fix migration conn_options for psycopg connection (cherry-pick #19134 to version-2025.12) by @authentik-automation[bot] in #19186
• core: add prettier failure on duplicate group names (cherry-pick #18941 to version-2025.12) by @authentik-automation[bot] in #19193
• web: Merge branch -- Stale notifications, synchronized context objects, rendering fixes (cherry-pick #19141 to version-2025.12) by @authentik-automation[bot] in #19197
• web: Defer table refresh, visibility checks. (cherry-pick #19194 to version-2025.12) by @authentik-automation[bot] in #19198
• rbac: Add show all to roles tab, add role tab to groups (cherry-pick #19097 to version-2025.12) by @authentik-automation[bot] in #19199
• web/admin: adjust sync threshold, add tooltip (cherry-pick #19131 to version-2025.12) by @authentik-automation[bot] in #19175
• admin/files: support %(theme)s variable in media file paths (cherry-pick #19108 to version-2025.12) by @authentik-automation[bot] in #19213
• core: handle deserialization errors from FileField migration (cherry-pick #19067 to version-2025.12) by @authentik-automation[bot] in #19168
• web: fix promoted source button hover losing blue color (cherry-pick #19048 to version-2025.12) by @authentik-automation[bot] in #19100
• outpost/proxyv2: reduce max number of postgres connections (cherry-pick #19211 to version-2025.12) by @...

See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• rbac: alter migrated direct permission roles (cherry-pick #18860 to version-2025.12) by @authentik-automation[bot] in #18864
• web/admin/rbac: misc object permission fixes (cherry-pick #18859 to version-2025.12) by @authentik-automation[bot] in #18865
• outposts: fix permission errors for related certificates (cherry-pick #18861 to version-2025.12) by @authentik-automation[bot] in #18866
• website/docs: adjust RBAC-related details in 2025.12 release notes (cherry-pick #18863 to version-2025.12) by @authentik-automation[bot] in #18869
• website/docs: 2025.10.3 release notes (cherry-pick #18868 to version-2025.12) by @authentik-automation[bot] in #18873
• web: add custom message with links for empty data export list (cherry-pick #18830 to version-2025.12) by @authentik-automation[bot] in #18876
• web/admin: fix read-only provider selection for application form (cherry-pick #18768 to version-2025.12) by @authentik-automation[bot] in #18803
• website/docs: Add docs for passkey autofill (WebauthN Conditional UI) (cherry-pick #18805 to version-2025.12) by @authentik-automation[bot] in #18870
• web: fix notification counter (cherry-pick #18781 to version-2025.12) by @authentik-automation[bot] in #18882
• web/admin: endpoint: change wording and add helper text (cherry-pick #18871 to version-2025.12) by @authentik-automation[bot] in #18890
• website/docs: add icon info to style guide (cherry-pick #18832 to version-2025.12) by @authentik-automation[bot] in #18837
• web: fix file upload form (cherry-pick #18808 to version-2025.12) by @authentik-automation[bot] in #18884
• tasks/middleware: close connections on worker status update database error (cherry-pick #18881 to version-2025.12) by @authentik-automation[bot] in #18905
• stages/authenticator_*: fix code input field not string (cherry-pick #18875 to version-2025.12) by @authentik-automation[bot] in #18906
• api: fix page_size with invalid query param (cherry-pick #18879 to version-2025.12) by @authentik-automation[bot] in #18908
• website/docs: added list of Int Guide contributors (also edited frontmatter) (cherry-pick #18888 to version-2025.12) by @authentik-automation[bot] in #18907
• api: fix latest version for public schema (cherry-pick #18902 to version-2025.12) by @authentik-automation[bot] in #18909
• ci/release-tag: checkout correct branch for make test-docker (cherry-pick #18880 to version-2025.12) by @authentik-automation[bot] in #18911
• website/docs: 2025.12: remove superfluous changes (cherry-pick #18910 to version-2025.12) by @authentik-automation[bot] in #18912
• web/admin: reword some things on the device view page (cherry-pick #18785 to version-2025.12) by @authentik-automation[bot] in #18913
• core/groups: optimize prefetch queries to fetch only required fields (cherry-pick #18448 to version-2025.12) by @authentik-automation[bot] in #18914
• root: fix docker-compose data mount (cherry-pick #18903 to version-2025.12) by @authentik-automation[bot] in #18918

Full Changelog: version/2025.12.0-rc1...version/2025.12.0-rc2

See https://docs.goauthentik.io/docs/releases/2025.10#fixed-in-2025103

What's Changed

• website/docs: fix broken link in source switching doc (cherry-pick #18317 to version-2025.10) by @authentik-automation[bot] in #18319
• website/docs: further improvments to source switch doc (cherry-pick #18320 to version-2025.10) by @authentik-automation[bot] in #18323
• website/docs: enhance blueprint docs (cherry-pick #15984 to version-2025.10) by @authentik-automation[bot] in #18322
• website/docs: added missed edits on Blueprints docs (cherry-pick #18321 to version-2025.10) by @authentik-automation[bot] in #18324
• website/docs: add high availability doc (cherry-pick #18182 to version-2025.10) by @authentik-automation[bot] in #18325
• website/docs: update info about docker socket mount (cherry-pick #18344 to version-2025.10) by @authentik-automation[bot] in #18365
• outposts: set container healthcheck inline (cherry-pick #18298 to version-2025.10) by @authentik-automation[bot] in #18370
• web/admin: add entitlement search (cherry-pick #18291 to version-2025.10) by @authentik-automation[bot] in #18390
• lib/sync/outgoing: check if there is a provider before creating tasks (cherry-pick #18394 to version-2025.10) by @authentik-automation[bot] in #18397
• web/admin: fix wording in password stage (cherry-pick #18393 to version-2025.10) by @authentik-automation[bot] in #18395
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) by @authentik-automation[bot] in #18373
• web: revert Fix stale table rows (cherry-pick #17940 to version-2025.10) by @rissson in #18407
• stages/prompt: set allow_blank for _read_only fields (cherry-pick #18297 to version-2025.10) by @authentik-automation[bot] in #18406
• packages/django-channels-postgres: fix notify size check (cherry-pick #18347 to version-2025.10) by @authentik-automation[bot] in #18409
• website/docs: improve creds recovery docs (cherry-pick #18385 to version-2025.10) by @authentik-automation[bot] in #18411
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) by @authentik-automation[bot] in #18408
• web/admin: fixes capitalization in application wizard title (cherry-pick #17959 to version-2025.10) by @authentik-automation[bot] in #17962
• website/docs: update certificate doc (cherry-pick #18295 to version-2025.10) by @authentik-automation[bot] in #18326
• providers/scim: compare users/groups before sending update request (cherry-pick #18456 to version-2025.10) by @authentik-automation[bot] in #18465
• web/admin: fix brands default switch label (cherry-pick #18518 to version-2025.10) by @authentik-automation[bot] in #18522
• website/docs: expressions: fix markdown (cherry-pick #18613 to version-2025.10) by @authentik-automation[bot] in #18617
• website/docs: adds note about ak_create_jwt function (cherry-pick #18614 to version-2025.10) by @authentik-automation[bot] in #18626
• flows: refresh unauthenticated tabs (cherry-pick #18621 to version-2025.10) by @authentik-automation[bot] in #18633
• root: fix missing authentik_device cookie causing error (cherry-pick #18642 to version-2025.10) by @authentik-automation[bot] in #18644
• enterprise/stages/mtls: fix traefik certificate parsing (cherry-pick #18607 to version-2025.10) by @authentik-automation[bot] in #18645
• web: Fix row expansion on modal trigger buttons. (cherry-pick #18412 to version-2025.10) by @authentik-automation[bot] in #18647
• web/admin: fix event volume chart not updating with query (cherry-pick #18649 to version-2025.10) by @authentik-automation[bot] in #18653
• sources/ldap: make server info optional (cherry-pick #18648 to version-2025.10) by @authentik-automation[bot] in #18654
• website/docs: install-config: fix dump_config command (cherry-pick #18659 to version-2025.10) by @authentik-automation[bot] in #18671
• root: skip current tab when refreshing others (cherry-pick #18674 to version-2025.10) by @authentik-automation[bot] in #18675
• web: Hide device picker when challenges are not present. (cherry-pick #18611 to version-2025.10) by @authentik-automation[bot] in #18681
• web: Improved table selection behavior (cherry-pick #18622 to version-2025.10) by @authentik-automation[bot] in #18685
• website/docs: background tasks: add more detail about "next run" (cherry-pick #18660 to version-2025.10) by @authentik-automation[bot] in #18672
• outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart (cherry-pick #18211 to version-2025.10) by @authentik-automation[bot] in #18742
• core: optimize list applications (cherry-pick #18330 to version-2025.10) by @authentik-automation[bot] in #18791
• core: list applications fix (cherry-pick #18798 to version-2025.10) by @authentik-automation[bot] in #18827
• packages/django-dramatiq-postgres: broker: close django connections on consumer close (cherry-pick #18833 to version-2025.10) by @authentik-automation[bot] in #18835
• website/docs: add icon info to style guide (cherry-pick #18832 to version-2025.10) by @authentik-automation[bot] in #18834
• website/docs: 2025.10.3 release notes (cherry-pick #18868 to version-2025.10) by @authentik-automation[bot] in #18872

Full Changelog: version/2025.10.2...version/2025.10.3

See https://next.goauthentik.io/docs/releases/2025.12

What's Changed

• root: bump version to 2025.12.0-rc1 by @authentik-automation[bot] in #17603
• website/integrations: Zoom: Fix punctuation in description by @dominic-r in #17608
• website: fix active menu link background overlap by @dominic-r in #17607
• ci: use forked release action to deal with large release notes by @BeryJu in #17625
• translate: Updates for file locale/en/LC_MESSAGES/django.po in pt_BR by @transifex-integration[bot] in #17622
• core, web: update translations by @authentik-automation[bot] in #17605
• website/docs: add short-lived certificate recommendation by @dewi-tik in #17628
• website/integrations: random fixes by @dewi-tik in #17631
• web: sync web/package-lock.json by @melizeche in #17611
• ci: link to next. for pre-release docs by @BeryJu in #17634
• enterprise: add prometheus metrics for license usage and expiry by @BeryJu in #17606
• core: bump djangorestframework from 3.16.0 (our fork) to v3.16.1 (official package) by @melizeche in #16594
• website/integrations: add zendesk by @PeshekDotDev in #17541
• website/integrations: add terraform cloud by @dominic-r in #17610
• core: bump github.com/getsentry/sentry-go from 0.36.0 to 0.36.1 by @dependabot[bot] in #17646
• web: bump style-mod from 4.1.2 to 4.1.3 in /web by @dependabot[bot] in #17647
• core: bump astral-sh/uv from 0.9.4 to 0.9.5 by @dependabot[bot] in #17645
• providers/proxy: drop headers with underscores by @BeryJu in #17650
• website/docs: rel notes 2025.10: add 3 more integration guides by @tanberry in #17641
• core, web: update translations by @authentik-automation[bot] in #17643
• translate: Updates for file web/xliff/en.xlf in pt_BR by @transifex-integration[bot] in #17639
• web: bump knip from 5.66.1 to 5.66.2 in /web by @dependabot[bot] in #17619
• web: bump @types/node from 22.15.19 to 24.9.1 in /web by @dependabot[bot] in #17618
• web: bump @types/node from 24.9.0 to 24.9.1 in /packages/prettier-config by @dependabot[bot] in #17617
• lib/sync/outgoing: store sync settings in database by @rissson in #17630
• web: bump vite from 7.1.10 to 7.1.11 in /web by @dependabot[bot] in #17604
• website: bump @types/node from 24.9.0 to 24.9.1 in /website by @dependabot[bot] in #17612
• core: bump goauthentik.io/api/v3 from 3.2025100.25 to 3.2025120.1 by @dependabot[bot] in #17613
• web: bump @types/node from 24.9.0 to 24.9.1 in /packages/esbuild-plugin-live-reload by @dependabot[bot] in #17616
• web: bump hono from 4.9.12 to 4.10.2 in /web by @dependabot[bot] in #17653
• website: bump the eslint group in /website with 3 updates by @dependabot[bot] in #17601
• lifecycle/aws: bump aws-cdk from 2.1030.0 to 2.1031.0 in /lifecycle/aws by @dependabot[bot] in #17667
• web: bump chromedriver from 141.0.3 to 141.0.4 in /web by @dependabot[bot] in #17665
• web: bump the sentry group across 1 directory with 2 updates by @dependabot[bot] in #17663
• core: bump goauthentik.io/api/v3 from 3.2025120.1 to 3.2025120.2 by @dependabot[bot] in #17662
• web: Table row refinements by @GirlBossRush in #17659
• web: Abstract Wizard Lifecycle by @GirlBossRush in #17658
• website/docs: add note about invite link not bound by @tanberry in #17657
• web: Make action field search case insensitive in Event Matcher Policy Form by @melizeche in #17680
• web: bump @goauthentik/prettier-config from 1.0.5 to 3.1.0 in /web in the goauthentik group across 1 directory by @dependabot[bot] in #17684
• translate: add cs_CZ by @rissson in #17632
• root: Fix transifex link by @Gunsmithy in #17696
• web: Fix table row click handler. by @GirlBossRush in #17697
• website/docs: eap add info about custom validation by @tanberry in #17642
• website/integrations: sonarr: clarify reverse proxy setup by @AlexLArmstrong in #17485
• website/integrations: zot oci registry integration by @shcherbak in #17682
• website/docs: release notes: Add Zot integration by @dominic-r in #17700
• website/docs: blueprints: add a bit more info by @dominic-r in #17704
• web: bump hono from 4.10.2 to 4.10.3 in /web by @dependabot[bot] in #17698
• web: bump @types/node from 22.15.19 to 24.9.1 in /web by @dependabot[bot] in #17687
• web: bump @types/codemirror from 5.60.16 to 5.60.17 in /web by @dependabot[bot] in #17685
• website/integrations: grafana: replace deprecated redirect_uris usage by allowed_redirect_uris by @TarQ1 in #17710
• ci: bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #17719
• ci: bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #17720
• web: bump the storybook group across 1 directory with 5 updates by @dependabot[bot] in #17715
• ci: bump astral-sh/setup-uv from 7.1.1 to 7.1.2 in /.github/actions/setup by @dependabot[bot] in #17718
• providers/oauth2: move encryption key field by @BeryJu in #17722
• enterprise: handle cached naive timezone by @BeryJu in #17695
• lifecycle: set search_path in system migrations by @BeryJu in #17721
• website/docs: update flow context ref by @BeryJu in #17723
• website/docs: finalise 2025.10 release notes by @BeryJu in #17728
• website/docs: fix placeholder leftover by @BeryJu in #17737
• root: update security.md's supported versions by @dominic-r in #17736
• web/a11y: Prefers more field contrast by @GirlBossRush in #17279
• root: Add Dockerfile label org.opencontainers.image.source by @Erwan-loot in #17756
• web: bump the sentry group across 1 directory with 2 updates by @dependabot[bot] in #17743
• providers/proxy: add gorm logging by @BeryJu in #17758
• providers/proxy: fix missing JWT/claims header by @BeryJu in #17759
• sources/oauth: Make PKCE verifier 128 characters by @alex9smith in #17763
• providers/radius: fix panic when no cert is configured by @BeryJu in #17762
• packages/django-postgres-cache: use upsert instead of select/update in a transaction by @rissson in #17760
• web: bump validator from 13.15.15 to 13.15.20 in /packages/eslint-config by @dependabot[bot] in #17742
• web: bump eslint-plugin-react-hooks from 7.0.0 to 7.0.1 in /packages/eslint-config in the eslint group across 1 directory by @dependabot[bot] in #17714
• website: bump validator from 13.15.15 to 13.15.20 in /website by @dependabot[bot] in #17741
• web: bump vite from 7.1.11 to 7.1.12 in /web by @dependabot[bot] in #17689
• core, web: update translations by @authentik-automation[bot] in #17660
• website: bump the build group in /website with 6 updates by @dependabot[bot] in #17712
  ...

See https://docs.goauthentik.io/docs/releases/2025.8#fixed-in-202585

What's Changed

• website/docs: developer docs: adjust sentence for writing docs (cherry-pick #17137 to version-2025.8) by @authentik-automation[bot] in #17142
• build(deps): bump django from 5.1.12 to 5.1.13 (cherry-pick #17198 to version-2025.8) by @authentik-automation[bot] in #17199
• packages/django-dramatiq-postgres: broker: fix task expiration (cherry-pick #17178 to version-2025.8) by @authentik-automation[bot] in #17217
• packages/django-dramatiq-postgres: fix error when updating task with no changes (cherry-pick #16728 to version-2025.8) by @authentik-automation[bot] in #17238
• tasks/middlewares/messages: make sure exceptions are always logged (cherry-pick #17237 to version-2025.8) by @authentik-automation[bot] in #17248
• core: fix absolute and relative path file uploads (cherry-pick #17269 to version-2025.8) by @authentik-automation[bot] in #17272
• web: Fix behavior for modals configured with closeAfterSuccessfulSubmit (cherry-pick #17277 to version-2025.8) by @authentik-automation[bot] in #17299
• lib/sync/outgoing: revert reduce number of db queries made (revert #14177) (cherry-pick #17306 to version-2025.8) by @authentik-automation[bot] in #17330
• blueprints: ensure tasks retry on database errors (cherry-pick #17333 to version-2025.8) by @authentik-automation[bot] in #17334
• web/admin: fix incorrect placeholder for scim provider (cherry-pick #17308 to version-2025.8) by @authentik-automation[bot] in #17309
• website/docs: add entra id scim source (cherry-pick #17357 to version-2025.8) by @authentik-automation[bot] in #17362
• website/docs: add email config section (cherry-pick #16727 to version-2025.8) by @authentik-automation[bot] in #17364
• website: add powershell syntax highlighting and bump package (cherry-pick #16683) by @authentik-automation[bot] in #16721
• website/docs: update SAML provider docs (cherry-pick #15887 to version-2025.8) by @authentik-automation[bot] in #17583
• ci: rework internal repo (#17797) by @BeryJu in #17830
• ci: fix migrate-from-stable for old versions by @BeryJu in #18018
• core: bump Django from 5.1.13 to 5.1.14 for 2025.8 by @melizeche in #17968
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18262
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18261
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.8 by @authentik-automation[bot] in #18263
• website/docs: add 2025.8.5 and 2025.10.2 release notes (cherry-pick #18268 to version-2025.8) by @authentik-automation[bot] in #18269

Full Changelog: version/2025.8.4...version/2025.8.5

See https://docs.goauthentik.io/docs/releases/2025.10#fixed-in-2025102

What's Changed

• brands: add more matching tests (cherry-pick #16185 to version-2025.10) by @authentik-automation[bot] in #17924
• brands: sort matched brand by match length (cherry-pick #17920 to version-2025.10) by @authentik-automation[bot] in #17935
• tasks/schedules: fix rel obj not being associated or updated (cherry-pick #17934 to version-2025.10) by @authentik-automation[bot] in #17936
• website/docs: added Note about email_verified scope mapping is set to false by default (cherry-pick #17942 to version-2025.10) by @authentik-automation[bot] in #17961
• website/docs: remove broken info box and fix sentence (cherry-pick #17963 to version-2025.10) by @authentik-automation[bot] in #17965
• core: bump django from 5.2.7 to 5.2.8 (cherry-pick #17967 to version-2025.10) by @authentik-automation[bot] in #18003
• website/docs: updates img-src csp (cherry-pick #18010 to version-2025.10) by @authentik-automation[bot] in #18012
• ci: fix migrate-from-stable for old versions (#18019) by @BeryJu in #18024
• website/release notes: fix broken urls (cherry-pick #18041 to version-2025.10) by @authentik-automation[bot] in #18044
• website/docs: update discord social login script example (cherry-pick #18026 to version-2025.10) by @authentik-automation[bot] in #18057
• ci: attempt to fix integration tests using dind (cherry-pick #18066 to version-2025.10) by @authentik-automation[bot] in #18069
• ci: revert to upstream GHA for release (#18058) by @BeryJu in #18065
• events: fix timezone not set for log events (cherry-pick #18067 to version-2025.10) by @authentik-automation[bot] in #18071
• providers/scim: allow custom schema data (cherry-pick #18073 to version-2025.10) by @authentik-automation[bot] in #18075
• core: improve app launch URL formatting (cherry-pick #18076 to version-2025.10) by @authentik-automation[bot] in #18087
• cmd/server/healthcheck: remove worker HTTP healthcheck (cherry-pick #18090 to version-2025.10) by @authentik-automation[bot] in #18091
• web: Fix RAC modal visibility. (cherry-pick #17941 to version-2025.10) by @authentik-automation[bot] in #18097
• web: Fix tab activation, blank provider URLs (cherry-pick #18031 to version-2025.10) by @authentik-automation[bot] in #18101
• website/docs: fix wording in stages overview (cherry-pick #18061 to version-2025.10) by @authentik-automation[bot] in #18120
• packages/django-dramatiq-postgres: broker: ensure locking happens with the same connection (cherry-pick #18095 to version-2025.10) by @authentik-automation[bot] in #18119
• web/flows: improvements for hCaptcha (cherry-pick #16882 to version-2025.10) by @authentik-automation[bot] in #18128
• web/admin: link to user on invitation list page (cherry-pick #18132 to version-2025.10) by @authentik-automation[bot] in #18134
• packages/django-channels-postgres/layer: fix query when subscribed to multiple channels (cherry-pick #18152 to version-2025.10) by @authentik-automation[bot] in #18153
• web: Disable library <datalist> on Firefox. (cherry-pick #18103 to version-2025.10) by @authentik-automation[bot] in #18135
• web/sfe: downgrade bootstrap that was accidentally upgraded (cherry-pick #18157 to version-2025.10) by @authentik-automation[bot] in #18171
• website/docs: Add instructions for installing RC versions (cherry-pick #18099 to version-2025.10) by @authentik-automation[bot] in #18193
• website/docs: update application description (cherry-pick #18125 to version-2025.10) by @authentik-automation[bot] in #18127
• stages/prompt: fix choices with labels causing error on submit (cherry-pick #18183 to version-2025.10) by @authentik-automation[bot] in #18236
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.10 by @authentik-automation[bot] in #18258
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.10 by @authentik-automation[bot] in #18259
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.10 by @authentik-automation[bot] in #18260
• website/docs: add 2025.8.5 and 2025.10.2 release notes (cherry-pick #18268 to version-2025.10) by @authentik-automation[bot] in #18270

Full Changelog: version/2025.10.1...version/2025.10.2

See https://docs.goauthentik.io/docs/releases/2025.10#fixed-in-2025101

What's Changed

• website/docs: fix placeholder leftover (cherry-pick #17737 to version-2025.10) by @authentik-automation[bot] in #17738
• root: Add Dockerfile label org.opencontainers.image.source (cherry-pick #17756 to version-2025.10) by @authentik-automation[bot] in #17757
• providers/proxy: fix missing JWT/claims header (cherry-pick #17759 to version-2025.10) by @authentik-automation[bot] in #17764
• sources/oauth: Make PKCE verifier 128 characters (cherry-pick #17763 to version-2025.10) by @authentik-automation[bot] in #17765
• providers/radius: fix panic when no cert is configured (cherry-pick #17762 to version-2025.10) by @authentik-automation[bot] in #17766
• providers/oauth2: move encryption key field (cherry-pick #17722 to version-2025.10) by @authentik-automation[bot] in #17729
• packages/django-postgres-cache: use upsert instead of select/update in a transaction (cherry-pick #17760 to version-2025.10) by @authentik-automation[bot] in #17767
• tasks: delay startup signals (cherry-pick #17769 to version-2025.10) by @authentik-automation[bot] in #17775
• root: use hashes for dockerfile FROM (cherry-pick #17795 to version-2025.10) by @authentik-automation[bot] in #17798
• internal: fix go deprecation for +build (cherry-pick #17806 to version-2025.10) by @authentik-automation[bot] in #17824
• ci: rework internal repo (#17797) by @BeryJu in #17829
• internal/web/proxy: fix return status code during startup (cherry-pick #17827 to version-2025.10) by @authentik-automation[bot] in #17832
• web/admin: fix scim provider form (cherry-pick #17831 to version-2025.10) by @authentik-automation[bot] in #17834
• core: bump astral-sh/uv from 0.9.5 to 0.9.6 (cherry-pick #17820 to version-2025.10) by @authentik-automation[bot] in #17835
• tasks: sanitize log attributes (cherry-pick #17833 to version-2025.10) by @authentik-automation[bot] in #17842
• outposts: update permissions more eagerly (cherry-pick #17783 to version-2025.10) by @authentik-automation[bot] in #17841
• outpost: revert breaking signals change (cherry-pick #17847 to version-2025.10) by @authentik-automation[bot] in #17848
• internal: full openssl path (cherry-pick #17856 to version-2025.10) by @authentik-automation[bot] in #17860
• web: Consistent Tab Panel URL Parameters (cherry-pick #17804 to version-2025.10) by @authentik-automation[bot] in #17859
• web/a11y: User library -- fix issues surrounding element focus, ARIA labeling. (cherry-pick #17522 to version-2025.10) by @authentik-automation[bot] in #17828
• providers/radius: fix inverted message authenticator validation (cherry-pick #17855 to version-2025.10) by @authentik-automation[bot] in #17888
• providers/radius: revert fix inverted message authenticator validation (#17855) (cherry-pick #17915 to version-2025.10) by @authentik-automation[bot] in #17916
• providers/oauth2: fix kid always required for federation (cherry-pick #17914 to version-2025.10) by @authentik-automation[bot] in #17917
• website/docs: 2025.10.1 release notes (cherry-pick #17918 to version-2025.10) by @authentik-automation[bot] in #17919

Full Changelog: version/2025.10.0...version/2025.10.1

See https://docs.goauthentik.io/docs/releases/2025.10

What's Changed

• enterprise: add prometheus metrics for license usage and expiry (cherry-pick #17606 to version-2025.10) by @authentik-automation[bot] in #17637
• website/docs: rel notes 2025.10: add 3 more integration guides (cherry-pick #17641 to version-2025.10) by @authentik-automation[bot] in #17652
• providers/proxy: drop headers with underscores (cherry-pick #17650 to version-2025.10) by @authentik-automation[bot] in #17651
• website/docs: add note about invite link not bound (cherry-pick #17657 to version-2025.10) by @authentik-automation[bot] in #17672
• website/docs: eap add info about custom validation (cherry-pick #17642 to version-2025.10) by @authentik-automation[bot] in #17699
• website/docs: release notes: Add Zot integration (cherry-pick #17700 to version-2025.10) by @authentik-automation[bot] in #17701
• website/docs: add short-lived certificate recommendation (cherry-pick #17628 to version-2025.10) by @authentik-automation[bot] in #17633
• website/docs: blueprints: add a bit more info (cherry-pick #17704 to version-2025.10) by @authentik-automation[bot] in #17708
• enterprise: handle cached naive timezone (cherry-pick #17695 to version-2025.10) by @authentik-automation[bot] in #17730
• website/docs: update flow context ref (cherry-pick #17723 to version-2025.10) by @authentik-automation[bot] in #17732
• website/docs: finalise 2025.10 release notes (cherry-pick #17728 to version-2025.10) by @authentik-automation[bot] in #17733

Full Changelog: version/2025.10.0-rc3...version/2025.10.0

See https://docs.goauthentik.io/docs/releases/2025.10

What's Changed

• admin: system api: fix FIPS status schema by @rissson in #10110
• website/docs: Specify Synology DSM Account type to use by @jannickfahlbusch in #10111
• web: bump API Client version by @authentik-automation[bot] in #10113
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10109
• website/docs: add more info about multiple replicas by @tanberry in #10117
• policies/reputation: fix existing reputation update by @rissson in #10124
• stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs by @authentik-automation[bot] in #10119
• translate: Updates for file web/xliff/en.xlf in zh_CN by @transifex-integration[bot] in #10120
• translate: Updates for file web/xliff/en.xlf in zh-Hans by @transifex-integration[bot] in #10121
• core, web: update translations by @authentik-automation[bot] in #10118
• core: bump goauthentik.io/api/v3 from 3.2024042.11 to 3.2024042.13 by @dependabot[bot] in #10134
• core: bump ruff from 0.4.8 to 0.4.9 by @dependabot[bot] in #10128
• core, web: update translations by @authentik-automation[bot] in #10127
• core: bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot[bot] in #10133
• web: bump chromedriver from 126.0.0 to 126.0.1 in /tests/wdio by @dependabot[bot] in #10136
• core: bump github.com/gorilla/sessions from 1.2.2 to 1.3.0 by @dependabot[bot] in #10135
• web: bump @patternfly/elements from 3.0.1 to 3.0.2 in /web by @dependabot[bot] in #10132
• website: bump react-tooltip from 5.26.4 to 5.27.0 in /website by @dependabot[bot] in #10129
• web: fix early modal stack depletion by @kensternberg-authentik in #10068
• website/integations/services: Slack integration docs by @tanberry in #9933
• core: include version in built JS files by @BeryJu in #9558
• web: fix needed because recent upgrade to task breaks spinner button by @kensternberg-authentik in #10142
• web: bump ws from 8.16.0 to 8.17.1 in /web by @dependabot[bot] in #10149
• web: bump the storybook group in /web with 7 updates by @dependabot[bot] in #10147
• ci: bump docker/build-push-action from 5 to 6 by @dependabot[bot] in #10144
• core: bump urllib3 from 2.2.1 to 2.2.2 by @dependabot[bot] in #10143
• root: use custom model serializer that saves m2m without bulk by @BeryJu in #10139
• root: makefile: add codespell to make website by @rissson in #10116
• web: fix docker build for non-release versions by @rissson in #10154
• website/integrations: gitlab: better service description by @dominic-r in #9923
• website/docs: Describe where to apply the auto setup env vars by @m1212e in #9863
• website/integrations: jellyfin: add OIDC configuration by @Redlonghead in #9538
• web: bump the wdio group in /tests/wdio with 4 updates by @dependabot[bot] in #10160
• web: bump chromedriver from 126.0.1 to 126.0.2 in /tests/wdio by @dependabot[bot] in #10161
• core: bump twilio from 9.1.1 to 9.2.0 by @dependabot[bot] in #10162
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10167
• website/docs: 2024.6 release notes: add note about group names by @rissson in #10170
• core: fix error when raising SkipObject in mapping by @BeryJu in #10153
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10174
• website/docs: update template reference by @emmanuel-ferdman in #10166
• web: bump @sentry/browser from 8.9.2 to 8.10.0 in /web in the sentry group by @dependabot[bot] in #10185
• core: bump google-api-python-client from 2.133.0 to 2.134.0 by @dependabot[bot] in #10183
• web: bump glob from 10.4.1 to 10.4.2 in /web by @dependabot[bot] in #10163
• core: rework base for SkipObject exception to better support control flow exceptions by @BeryJu in #10186
• website/docs: Remove hyphen in read replica in Release Notes by @tanberry in #10178
• website/docs: Fix nginx proxy_pass directive documentation by @fotinakis in #10181
• core: bump selenium from 4.21.0 to 4.22.0 by @dependabot[bot] in #10194
• core: bump ruff from 0.4.9 to 0.4.10 by @dependabot[bot] in #10193
• web: bump typescript from 5.4.5 to 5.5.2 in /tests/wdio by @dependabot[bot] in #10192
• web: bump typescript from 5.4.5 to 5.5.2 in /web by @dependabot[bot] in #10191
• website: bump typescript from 5.4.5 to 5.5.2 in /website by @dependabot[bot] in #10190
• web: bump @sentry/browser from 8.10.0 to 8.11.0 in /web in the sentry group by @dependabot[bot] in #10204
• web: bump chromedriver from 126.0.2 to 126.0.3 in /tests/wdio by @dependabot[bot] in #10203
• core: bump twilio from 9.2.0 to 9.2.1 by @dependabot[bot] in #10202
• core: bump coverage from 7.5.3 to 7.5.4 by @dependabot[bot] in #10201
• web/flows: update flow background by @BeryJu in #10206
• website/docs: fix #9552 openssl rand base64 line wrap by @jogerj in #10211
• website/integrations: fix typo in documentation for OIDC setup with Paperless-ngx by @rwh85 in #10218
• security: fix CVE-2024-38371 by @BeryJu in #10229
• security: fix CVE-2024-37905 by @BeryJu in #10230
• core: bump debugpy from 1.8.1 to 1.8.2 by @dependabot[bot] in #10225
• web: bump @sentry/browser from 8.11.0 to 8.12.0 in /web in the sentry group by @dependabot[bot] in #10226
• core: bump webauthn from 2.1.0 to 2.2.0 by @dependabot[bot] in #10224
• web: bump chromedriver from 126.0.3 to 126.0.4 in /tests/wdio by @dependabot[bot] in #10223
• core: bump pdoc from 14.5.0 to 14.5.1 by @dependabot[bot] in #10221
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10228
• website/docs: update 2024.2 release notes with security fixes by @rissson in #10232
• website/docs: update 2024.4 release notes with latest changes by @rissson in #10231
• website/docs: update 2024.6 release notes with latest changes (cherry-pick #10228) by @gcp-cherry-pick-bot[bot] in #10243
• website/docs: remove RC disclaimer from 2024.6 release notes by @rissson in #10245
• website/docs: remove RC disclaimer from 2024.6 release notes (cherry-pick #10245) by @gcp-cherry-pick-bot[bot] in #10246
• security: update supported versions by @rissson in #10247
• security: update supported versions (cherry-pick #10247) by @gcp-cherry-pick-bot[bot] in #10248
• website/docs: update geoip and asn example to use the proper syntax by @rissson in #10249
• website/docs: update the Welcome page by @tanberry in #10222
• website/docs: update geoip and asn example to use the proper syntax (cherry-pick #10249) by @gcp-cherry-pick-bot[bot] in #10250
• web: bump API Client versi...

See https://docs.goauthentik.io/docs/releases/2025.8#fixed-in-202584

What's Changed

• webiste/docs: improve user ref doc (cherry-pick #16779) by @authentik-automation[bot] in #16839
• providers/scim: fix string formatting for SCIM user filter (cherry-pick #16465) by @authentik-automation[bot] in #16852
• website/docs: 2025.8: fix worker concurrency setting rename (cherry-pick #16946) by @authentik-automation[bot] in #16950
• website/docs: fix capitalization (cherry-pick #16944) by @authentik-automation[bot] in #16958
• website/docs: random typo fixes (cherry-pick #16956) by @authentik-automation[bot] in #16959
• website/docs: add docs for source switch expression policy (cherry-pick #16878) by @authentik-automation[bot] in #16972
• website/docs: update url to docker-compose.yml (cherry-pick #16901) by @authentik-automation[bot] in #16986
• website/developer docs: What domain for what doc version (cherry-pick #16987) by @authentik-automation[bot] in #16996
• providers/ldap: add include_children parameter to cached search mode (cherry-pick #16918) by @authentik-automation[bot] in #17000
• website/docs: oauth provider: Add device and introspect to reserved slugs (cherry-pick #16994) by @authentik-automation[bot] in #16998
• webiste/docs: add missing oauth endpoints (cherry-pick #16995) by @authentik-automation[bot] in #16999
• website/docs: improve discord policies when also bound to non-oauth sources (cherry-pick #17008) by @authentik-automation[bot] in #17012
• rbac: fix typo (cherry-pick #16476) by @authentik-automation[bot] in #17018
• core: add index on Group.is_superuser (cherry-pick #17011) by @authentik-automation[bot] in #17017
• lib: match exception_to_dict locals behaviour (cherry-pick #17006) by @authentik-automation[bot] in #17016
• website/docs: Update Github expression to handle non-OAuth sources gracefully (cherry-pick #17014) by @authentik-automation[bot] in #17029
• lib/config: fix listen settings (cherry-pick #17005) by @authentik-automation[bot] in #17023
• */bindings: order by pk (cherry-pick #17027) by @authentik-automation[bot] in #17053
• tasks: fix logger name (cherry-pick #17009 to version-2025.8) by @authentik-automation[bot] in #17060
• web/admin: fix federation sources automatically selected (cherry-pick #17069 to version-2025.8) by @authentik-automation[bot] in #17070
• rbac: optimize rbac assigned by users query (cherry-pick #17015 to version-2025.8) by @authentik-automation[bot] in #17092
• web: Fix layout class for row in LibraryPage (cherry-pick #16752 to version-2025.8) by @authentik-automation[bot] in #17091
• cmd/server/healthcheck: info log success instead of debug (cherry-pick #17093 to version-2025.8) by @authentik-automation[bot] in #17097
• outposts/ldap: add pwdChangeTime attribute (cherry-pick #17010 to version-2025.8) by @authentik-automation[bot] in #17101
• stages/identification: fix mismatched error messages (cherry-pick #17090 to version-2025.8) by @authentik-automation[bot] in #17104
• providers/oauth2: fix authentication error with identical app passwords (cherry-pick #17100 to version-2025.8) by @authentik-automation[bot] in #17103
• packages/django-dramatiq-postgres: broker: fix new messages not being picked up when too many messages are waiting (cherry-pick #17106 to version-2025.8) by @authentik-automation[bot] in #17108
• tasks: reduce default number of retries and max backoff (cherry-pick #17107 to version-2025.8) by @authentik-automation[bot] in #17109
• website/docs: 2025.8.4 release notes (cherry-pick #17119 to version-2025.8) by @authentik-automation[bot] in #17120

Full Changelog: version/2025.8.3...version/2025.8.4