Release 2025.4.1

See https://docs.goauthentik.io/docs/releases/2025.4#fixed-in-202541

What's Changed

• website/docs: add gateway API to release notes and documentation (cherry-pick #14278) by @gcp-cherry-pick-bot in #14298
• ci: cleanup post uv migration (cherry-pick #13538) by @gcp-cherry-pick-bot in #14297
• website/docs: initial permissions: fix usage of term admin (cherry-pick #14300) by @gcp-cherry-pick-bot in #14302
• brands: fix CSS Migration not updating brands (cherry-pick #14306) by @gcp-cherry-pick-bot in #14308
• website/docs: docs about initial perms (cherry-pick #14263) by @gcp-cherry-pick-bot in #14282
• rbac: fix RoleObjectPermissionTable not showing add_user_to_group (cherry-pick #14312) by @gcp-cherry-pick-bot in #14334
• outposts: fix tmpdir in containers not being set (cherry-pick #14444) by @gcp-cherry-pick-bot in #14449
• lifecycle: fix ak dump_config (cherry-pick #14445) by @gcp-cherry-pick-bot in #14448
• web/flows/sfe: fix global background image not being loaded (cherry-pick #14442) by @gcp-cherry-pick-bot in #14450
• core: bump h11 from 0.14.0 to v0.16.0 (cherry-pick #14352) by @gcp-cherry-pick-bot in #14472
• core: fix session migration when old session can't be loaded (cherry-pick #14466) by @gcp-cherry-pick-bot in #14480
• root: temporarily deactivate database pool option (cherry-pick #14443) by @gcp-cherry-pick-bot in #14479
• root: backport SFE Build fix by @BeryJu in #14495
• enterprise: fix expired license's users being counted (cherry-pick #14451) by @gcp-cherry-pick-bot in #14496
• core: remove OldAuthenticatedSession content type (cherry-pick #14507) by @gcp-cherry-pick-bot in #14509
• core: fix unable to create group if no enable_group_superuser permission is given (cherry-pick #14510) by @gcp-cherry-pick-bot in #14521

Full Changelog: version/2025.4.0...version/2025.4.1

Release 2025.4.0

See https://docs.goauthentik.io/docs/releases/2025.4

What's Changed

• core: clear expired database sessions by @BeryJu in #13105
• website/docs: add 2025.2 release notes by @BeryJu in #13002
• providers/rac: move to open source by @gergosimonyi in #13015
• web: bump API Client version by @authentik-automation in #13113
• web/user: fix opening application with Enter not respecting new tab setting by @BeryJu in #13115
• web/admin: update Application Wizard button placement by @kensternberg-authentik in #12771
• cmd: set version in outposts by @BeryJu in #13116
• sources/oauth: add group sync for azure_ad by @BeryJu in #12894
• website: Use Docusaurus Frontmatter for badges by @GirlBossRush in #12893
• web: Indicate when caps-lock is active during password input. by @GirlBossRush in #12733
• web/flows: fix error on interactive Captcha stage when retrying captcha by @BeryJu in #13119
• revert: rbac: exclude permissions for internal models (#12803) by @BeryJu in #13138
• core: bump zxcvbn from 4.4.28 to 4.5.0 by @dependabot in #13128
• policies/geoip: fix math in impossible travel by @BeryJu in #13141
• enterprise/stages/source: fix Source stage not executing authentication/enrollment flow by @BeryJu in #12875
• core: bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 by @dependabot in #13135
• core: bump goauthentik.io/api/v3 from 3.2024123.6 to 3.2024123.7 by @dependabot in #13134
• lifecycle/aws: bump aws-cdk from 2.179.0 to 2.1000.2 in /lifecycle/aws by @dependabot in #13133
• core: bump duo-client from 5.3.0 to 5.4.0 by @dependabot in #13132
• core: bump kubernetes from 32.0.0 to 32.0.1 by @dependabot in #13131
• website: bump postcss from 8.5.2 to 8.5.3 in /website by @dependabot in #13130
• website: bump semver from 7.7.0 to 7.7.1 in /website by @dependabot in #13129
• scripts: fix broken link by @gergosimonyi in #13156
• web/user: fix post MFA creation link being invalid by @BeryJu in #13157
• core: bump selenium from 4.28.1 to 4.29.0 by @dependabot in #13155
• website: bump docusaurus-plugin-openapi-docs from 4.3.4 to 4.3.5 in /website by @dependabot in #13153
• core: bump twilio from 9.4.5 to 9.4.6 by @dependabot in #13151
• core: bump ruff from 0.9.6 to 0.9.7 by @dependabot in #13150
• website: bump docusaurus-theme-openapi-docs from 4.3.4 to 4.3.5 in /website by @dependabot in #13154
• website: bump disqus-react from 1.1.5 to 1.1.6 in /website by @dependabot in #13152
• website/docs: troubleshooting: fix missing command prefix for create admin group command in Docker by @dominic-r in #13107
• web/user: fix RAC launch not opening when clicking icon by @BeryJu in #13164
• ci: update poetry sync command by @rissson in #13161
• root: allow configuring session cookie age by @rissson in #12389
• web/admin: only show message when not editing an application by @BeryJu in #13165
• web/user: fix race condition in user settings flow executor by @BeryJu in #13163
• website: enable docusaurus faster option by @BeryJu in #12326
• website/docs: fix typo by @klmmr in #13174
• web/flow: update default flow background by @BeryJu in #13175
• web/flow: grab focus to uid input field by @BeryJu in #13177
• web/flows: disambiguate brand links codeblock by @kensternberg-authentik in #12141
• web/admin: fix default selection for binding policy by @BeryJu in #13180
• core: add darkreader-lock by @BeryJu in #13183
• website: revert enable docusaurus faster option (#12326) by @BeryJu in #13207
• core: bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.1 by @dependabot in #13205
• core: bump psycopg from 3.2.4 to 3.2.5 by @dependabot in #13203
• core: bump setproctitle from 1.3.4 to 1.3.5 by @dependabot in #13202
• website: bump prettier from 3.5.1 to 3.5.2 in /website by @dependabot in #13192
• web/flow: fix translate extract by @BeryJu in #13208
• web/user: fix display for RAC tile by @BeryJu in #13211
• website/docs: updated debugging docs by @BeryJu in #12809
• website/docs: add new SSF provider docs by @tanberry in #13102
• website/docs: add info about new perms for super-user in groups by @tanberry in #13188
• stages/authenticator_email: Email Authenticator Stage Documentation by @melizeche in #12853
• website/docs: remove mention of wizard by @tanberry in #13126
• website/docs: remove Enterprise badge from RAC docs by @gergosimonyi in #13069
• website/docs: add paragraph about impossible travel by @tanberry in #13125
• core: bump aws-cdk-lib from 2.179.0 to 2.180.0 by @dependabot in #13204
• website/docs: update the 2025.2 rel notes by @tanberry in #13213
• website/docs: fix missing breaking entry for 2025.2 release notes by @BeryJu in #13223
• root: Backport version 2025.2 by @BeryJu in #13225
• website/docs: Add Passkeys reference where WebAuthn is mentioned by @melizeche in #13167
• web: bump API Client version by @authentik-automation in #13226
• website: remove images from integrations index page by @dominic-r in #12897
• core: bump goauthentik.io/api/v3 from 3.2024123.7 to 3.2025020.1 by @dependabot in #13241
• lifecycle/aws: bump aws-cdk from 2.1000.2 to 2.1000.3 in /lifecycle/aws by @dependabot in #13239
• core, web: update translations by @authentik-automation in #13236
• core: bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in #13235
• web/admin: fix minor typo by @S33G in #13181
• core: bump golang.org/x/oauth2 from 0.26.0 to 0.27.0 by @dependabot in #13240
• ci: run translation extraction on PRs too by @rissson in #13214
• lifecycle: add warning regarding supported installation methods by @dominic-r in #13190
• core: add pre-hydrated relative URL by @BeryJu in #13243
• website/integrations: add plesk by @Lars- in #13000
• website/docs: add enterprise label to SSF docs by @tanberry in #13251
• ci: fix translation extraction for external PRs by @rissson in #13266
• website/docs: remove Enterprise badge from RAC docs -- again by @gergosimonyi in #13268
• stages/authenticator_email: fix session cleanup test b by @melizeche in #13264
• stages/email: Fix email stage serialization by @melizeche in #13256
• translate: Updates for file locale/en/LC_MESSAGES/django.po in fr by @transifex-integration in #13274
• translate: Updates for file web/xliff/en.xlf in fr by @transifex-integration in #13275
• website/docs: prepare for...

Release 2025.4.0-rc2

See https://docs.goauthentik.io/docs/releases/2025.4

What's Changed

• admin: system api: fix FIPS status schema by @rissson in #10110
• website/docs: Specify Synology DSM Account type to use by @jannickfahlbusch in #10111
• web: bump API Client version by @authentik-automation in #10113
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10109
• website/docs: add more info about multiple replicas by @tanberry in #10117
• policies/reputation: fix existing reputation update by @rissson in #10124
• stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs by @authentik-automation in #10119
• translate: Updates for file web/xliff/en.xlf in zh_CN by @transifex-integration in #10120
• translate: Updates for file web/xliff/en.xlf in zh-Hans by @transifex-integration in #10121
• core, web: update translations by @authentik-automation in #10118
• core: bump goauthentik.io/api/v3 from 3.2024042.11 to 3.2024042.13 by @dependabot in #10134
• core: bump ruff from 0.4.8 to 0.4.9 by @dependabot in #10128
• core, web: update translations by @authentik-automation in #10127
• core: bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #10133
• web: bump chromedriver from 126.0.0 to 126.0.1 in /tests/wdio by @dependabot in #10136
• core: bump github.com/gorilla/sessions from 1.2.2 to 1.3.0 by @dependabot in #10135
• web: bump @patternfly/elements from 3.0.1 to 3.0.2 in /web by @dependabot in #10132
• website: bump react-tooltip from 5.26.4 to 5.27.0 in /website by @dependabot in #10129
• web: fix early modal stack depletion by @kensternberg-authentik in #10068
• website/integations/services: Slack integration docs by @tanberry in #9933
• core: include version in built JS files by @BeryJu in #9558
• web: fix needed because recent upgrade to task breaks spinner button by @kensternberg-authentik in #10142
• web: bump ws from 8.16.0 to 8.17.1 in /web by @dependabot in #10149
• web: bump the storybook group in /web with 7 updates by @dependabot in #10147
• ci: bump docker/build-push-action from 5 to 6 by @dependabot in #10144
• core: bump urllib3 from 2.2.1 to 2.2.2 by @dependabot in #10143
• root: use custom model serializer that saves m2m without bulk by @BeryJu in #10139
• root: makefile: add codespell to make website by @rissson in #10116
• web: fix docker build for non-release versions by @rissson in #10154
• website/integrations: gitlab: better service description by @dominic-r in #9923
• website/docs: Describe where to apply the auto setup env vars by @m1212e in #9863
• website/integrations: jellyfin: add OIDC configuration by @Redlonghead in #9538
• web: bump the wdio group in /tests/wdio with 4 updates by @dependabot in #10160
• web: bump chromedriver from 126.0.1 to 126.0.2 in /tests/wdio by @dependabot in #10161
• core: bump twilio from 9.1.1 to 9.2.0 by @dependabot in #10162
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10167
• website/docs: 2024.6 release notes: add note about group names by @rissson in #10170
• core: fix error when raising SkipObject in mapping by @BeryJu in #10153
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10174
• website/docs: update template reference by @emmanuel-ferdman in #10166
• web: bump @sentry/browser from 8.9.2 to 8.10.0 in /web in the sentry group by @dependabot in #10185
• core: bump google-api-python-client from 2.133.0 to 2.134.0 by @dependabot in #10183
• web: bump glob from 10.4.1 to 10.4.2 in /web by @dependabot in #10163
• core: rework base for SkipObject exception to better support control flow exceptions by @BeryJu in #10186
• website/docs: Remove hyphen in read replica in Release Notes by @tanberry in #10178
• website/docs: Fix nginx proxy_pass directive documentation by @fotinakis in #10181
• core: bump selenium from 4.21.0 to 4.22.0 by @dependabot in #10194
• core: bump ruff from 0.4.9 to 0.4.10 by @dependabot in #10193
• web: bump typescript from 5.4.5 to 5.5.2 in /tests/wdio by @dependabot in #10192
• web: bump typescript from 5.4.5 to 5.5.2 in /web by @dependabot in #10191
• website: bump typescript from 5.4.5 to 5.5.2 in /website by @dependabot in #10190
• web: bump @sentry/browser from 8.10.0 to 8.11.0 in /web in the sentry group by @dependabot in #10204
• web: bump chromedriver from 126.0.2 to 126.0.3 in /tests/wdio by @dependabot in #10203
• core: bump twilio from 9.2.0 to 9.2.1 by @dependabot in #10202
• core: bump coverage from 7.5.3 to 7.5.4 by @dependabot in #10201
• web/flows: update flow background by @BeryJu in #10206
• website/docs: fix #9552 openssl rand base64 line wrap by @jogerj in #10211
• website/integrations: fix typo in documentation for OIDC setup with Paperless-ngx by @rwh85 in #10218
• security: fix CVE-2024-38371 by @BeryJu in #10229
• security: fix CVE-2024-37905 by @BeryJu in #10230
• core: bump debugpy from 1.8.1 to 1.8.2 by @dependabot in #10225
• web: bump @sentry/browser from 8.11.0 to 8.12.0 in /web in the sentry group by @dependabot in #10226
• core: bump webauthn from 2.1.0 to 2.2.0 by @dependabot in #10224
• web: bump chromedriver from 126.0.3 to 126.0.4 in /tests/wdio by @dependabot in #10223
• core: bump pdoc from 14.5.0 to 14.5.1 by @dependabot in #10221
• website/docs: update 2024.6 release notes with latest changes by @rissson in #10228
• website/docs: update 2024.2 release notes with security fixes by @rissson in #10232
• website/docs: update 2024.4 release notes with latest changes by @rissson in #10231
• website/docs: update 2024.6 release notes with latest changes (cherry-pick #10228) by @gcp-cherry-pick-bot in #10243
• website/docs: remove RC disclaimer from 2024.6 release notes by @rissson in #10245
• website/docs: remove RC disclaimer from 2024.6 release notes (cherry-pick #10245) by @gcp-cherry-pick-bot in #10246
• security: update supported versions by @rissson in #10247
• security: update supported versions (cherry-pick #10247) by @gcp-cherry-pick-bot in #10248
• website/docs: update geoip and asn example to use the proper syntax by @rissson in #10249
• website/docs: update the Welcome page by @tanberry in #10222
• website/docs: update geoip and asn example to use the proper syntax (cherry-pick #10249) by @gcp-cherry-pick-bot in #10250
• web: bump API Client version by @authentik-automation in #10252
• web/flows: remove continue button from AutoSubmit stage by @BeryJu in #10253
  ...

Release 2025.2.4

See https://docs.goauthentik.io/docs/releases/2025.2#fixed-in-202524

What's Changed

• stages/email: fix for newlines in emails by @melizeche in #13712
• providers/scim: fix group membership check failing (cherry-pick #13644) by @gcp-cherry-pick-bot in #13825
• Revert "core: fix non-exploitable open redirect (#13696)" (cherry-pick #13824) by @gcp-cherry-pick-bot in #13826

Full Changelog: version/2025.2.3...version/2025.2.4

Release 2024.12.5

See https://docs.goauthentik.io/docs/releases/2024.12#fixed-in-2024125

What's Changed

• Revert "core: fix non-exploitable open redirect (#13696)" by @rissson in #13827

Full Changelog: version/2024.12.4...version/2024.12.5

Release 2025.2.3

See https://docs.goauthentik.io/docs/releases/2025.2#fixed-in-202523

What's Changed

• admin: fix system API when using bearer token (cherry-pick #13651) by @gcp-cherry-pick-bot in #13654
• stages/email: Clean newline characters in TemplateEmailMessage (cherry-pick #13666) by @gcp-cherry-pick-bot in #13667
• outposts/ldap: fix paginator going into infinite loop (cherry-pick #13677) by @gcp-cherry-pick-bot in #13679
• web/admin: reworked sync status card (cherry-pick #13625) by @rissson in #13692
• core: fix core/user is_superuser filter (cherry-pick #13693) by @gcp-cherry-pick-bot in #13694
• core: fix non-exploitable open redirect (cherry-pick #13696) by @gcp-cherry-pick-bot in #13698
• stages/identification: refresh captcha on failure (cherry-pick #13697) by @gcp-cherry-pick-bot in #13699
• security: fix CVE-2025-29928 (cherry-pick #13695) by @gcp-cherry-pick-bot in #13700

Full Changelog: version/2025.2.2...version/2025.2.3

Release 2024.12.4

See https://docs.goauthentik.io/docs/releases/2024.12#fixed-in-2024124

What's Changed

• core: fix generic sources not being fetchable by pk by @BeryJu in #12896
• flows: fix inspector permission check by @BeryJu in #12907
• security: fix CVE-2025-29928 (cherry-pick #13695) by @gcp-cherry-pick-bot in #13701

Full Changelog: version/2024.12.3...version/2024.12.4

Release 2025.2.2

See https://docs.goauthentik.io/docs/releases/2025.2#fixed-in-202522

What's Changed

• website/docs: prepare for 2025.2.1 (cherry-pick #13277) by @gcp-cherry-pick-bot in #13279
• enterprise/stages/source: fix dispatch method signature (cherry-pick #13321) by @gcp-cherry-pick-bot in #13326
• *: fix stage incorrectly being inserted instead of appended (cherry-pick #13304) by @gcp-cherry-pick-bot in #13327
• website/docs: update the 2025.2 rel notes (cherry-pick #13213) by @gcp-cherry-pick-bot in #13222
• providers/proxy: kubernetes outpost: fix reconcile when only annotations changed (cherry-pick #13372) by @gcp-cherry-pick-bot in #13384
• website/docs: fix build by @rissson in #13385
• web/user: ensure modal container on user-settings page is min-height: 100% (cherry-pick #13402) by @gcp-cherry-pick-bot in #13413
• stages/authenticator_email: Fix Enroll dropdown in the MFA Devices page (cherry-pick #13404) by @gcp-cherry-pick-bot in #13414
• lib/config: fix conn_max_age parsing (cherry-pick #13370) by @gcp-cherry-pick-bot in #13415
• web/admin: fix display bug for assigned users in application bindings in the wizard (cherry-pick #13435) by @gcp-cherry-pick-bot in #13452
• sources/oauth: ignore missing well-known keys (cherry-pick #13468) by @gcp-cherry-pick-bot in #13470
• web/flows: fix missing padding on authenticator_validate card (cherry-pick #13420) by @gcp-cherry-pick-bot in #13519
• web/user: show admin interface button on mobile (cherry-pick #13421) by @gcp-cherry-pick-bot in #13518
• providers/rac: fix signals and Endpoint caching (cherry-pick #13529) by @gcp-cherry-pick-bot in #13531
• sources/oauth: fix duplicate authentication (cherry-pick #13322) by @gcp-cherry-pick-bot in #13535
• stages/identification: check captcha after checking authentication (cherry-pick #13533) by @gcp-cherry-pick-bot in #13551
• website/docs: prepare for 2025.2.2 (cherry-pick #13552) by @gcp-cherry-pick-bot in #13553

Full Changelog: version/2025.2.1...version/2025.2.2

Release 2025.2.1

See https://docs.goauthentik.io/docs/releases/2025.2#fixed-in-202521

What's Changed

• website/docs: remove Enterprise badge from RAC docs (cherry-pick #13069) by @gcp-cherry-pick-bot in #13216
• website/docs: add new SSF provider docs (cherry-pick #13102) by @gcp-cherry-pick-bot in #13215
• website/docs: add info about new perms for super-user in groups (cherry-pick #13188) by @rissson in #13217
• website/docs: remove mention of wizard (cherry-pick #13126) by @rissson in #13219
• website/docs: add paragraph about impossible travel (cherry-pick #13125) by @gcp-cherry-pick-bot in #13220
• stages/authenticator_email: Email Authenticator Stage Documentation (cherry-pick #12853) by @rissson in #13218
• website/docs: fix missing breaking entry for 2025.2 release notes (cherry-pick #13223) by @gcp-cherry-pick-bot in #13224
• core: add pre-hydrated relative URL (cherry-pick #13243) by @gcp-cherry-pick-bot in #13246
• stages/email: Fix email stage serialization (cherry-pick #13256) by @gcp-cherry-pick-bot in #13273
• stages/authenticator_email: fix session cleanup test b (cherry-pick #13264) by @gcp-cherry-pick-bot in #13276

Full Changelog: version/2025.2.0...version/2025.2.1

Release 2025.2.0

See https://docs.goauthentik.io/docs/releases/2025.2

What's Changed

• web/flow: fix translate extract (cherry-pick #13208) by @gcp-cherry-pick-bot in #13210
• web/user: fix display for RAC tile (cherry-pick #13211) by @gcp-cherry-pick-bot in #13212

Full Changelog: version/2025.2.0-rc3...version/2025.2.0