Skip to content

internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-main#22302

Merged
BeryJu merged 1 commit into
mainfrom
int-backport/authentik-main/CVE-2026-41577.sec.patch
May 12, 2026
Merged

internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-main#22302
BeryJu merged 1 commit into
mainfrom
int-backport/authentik-main/CVE-2026-41577.sec.patch

Conversation

@authentik-automation
Copy link
Copy Markdown
Contributor

@authentik-automation authentik-automation Bot commented May 12, 2026

Automated backport of patch from internal repo

Patch name: CVE-2026-41577.sec.patch
Issue ref: https://github.com/goauthentik/authentik-internal/issues/

@authentik-automation authentik-automation Bot requested a review from a team as a code owner May 12, 2026 16:32
@BeryJu BeryJu self-assigned this May 12, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 12, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 91.17647% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.19%. Comparing base (f4d6ebf) to head (8c3229c).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/sources/saml/processors/response.py 80.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #22302      +/-   ##
==========================================
- Coverage   93.25%   93.19%   -0.06%     
==========================================
  Files        1028     1028              
  Lines       59692    59726      +34     
  Branches      400      400              
==========================================
- Hits        55665    55664       -1     
- Misses       4027     4062      +35
Flag Coverage Δ
conformance 36.72% <5.88%> (-0.02%) ⬇️
e2e 41.98% <35.29%> (+0.04%) ⬆️
integration 33.10% <5.88%> (-0.06%) ⬇️
rust 0.00% <ø> (ø)
unit 92.13% <91.17%> (+<0.01%) ⬆️
unit-migrate 92.15% <91.17%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-8c3229cc170e4870ef8b9b29d89b22eac5be2e96
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-8c3229cc170e4870ef8b9b29d89b22eac5be2e96

Afterwards, run the upgrade commands from the latest release notes.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 8c3229c
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6a0356151cc4780008cfd406
😎 Deploy Preview https://deploy-preview-22302--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@BeryJu BeryJu merged commit ee954d6 into main May 12, 2026
116 of 117 checks passed
@BeryJu BeryJu deleted the int-backport/authentik-main/CVE-2026-41577.sec.patch branch May 12, 2026 18:11
kensternberg-authentik added a commit that referenced this pull request May 18, 2026
@kensternberg-authentik
Merge branch 'main' into dev
c8229b4 
* main: (43 commits)
  website/docs: fix email link in CVE-2026-40166 (#22331)
  website/docs: add that the Grant Types are now on UI (#22315)
  core: bump ujson from 5.12.0 to 5.12.1 in the uv group across 1 directory (#22329)
  core: harden npm install against supply-chain attacks (#22245)
  core: bump django-stubs[compatible-mypy] from 6.0.3 to 6.0.4 (#22319)
  ci: bump taiki-e/install-action from 2.77.3 to 2.77.4 in /.github/actions/setup (#22321)
  endpoints: remove `print` line (#22325)
  website/docs: release notes 2026.5: add section about package reduction (#22308)
  core, web: update translations (#22318)
  stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#22322)
  website/docs: Add invitation wizard docs (#22069)
  website/docs: release notes for 2025.12.5 and 2026.2.3 (#22310)
  internal: Automated internal backport: CVE-2026-41569.sec.patch to authentik-main (#22301)
  internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-main (#22303)
  internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-main (#22299)
  internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-main (#22305)
  internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-main (#22302)
  website/docs: add mention of drop-down menu, update multiple Integration Guides (#22269)
  website/docs: edit docs about how to add user/service account (#22228)
  website/docs: 2026.5 release notes: fix performance improvements wording (#22307)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

@BeryJu BeryJu

Labels

cherry-pick

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BeryJu