Application policies mode all broken when using group and user filter

[OCram85]

Describe the bug
After updating to 2025.8.4 my existing application policies fails when using:

• a standard group policy - use a ldap group or local group
• a standard user policy - use a ldap user or local user
• using policy mode ALL

You can see and use those application if you're member in group, although you're note the given user from the second condition

To Reproduce
Steps to reproduce the behavior:

You can create any application like described above.

Expected behavior
The application should only be visible and consumable by the user added in the user policy

Screenshots

Test App:

Policy Mode:

Policy Details:

Test group members:

✅ Test with valid user. user is in group and dedicated selected:

🛑 Test with user which is group member not not used in additional policy:

🛑 Same test like above but with ldap synced user:

✅ test with any other use not in group or used in additional policy:

Logs
Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

• authentik version: 2025.8.4
• Deployment: docker-compose

Additional context

• latest known authentik version in which this use-case worked: 2024.8.4

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[AndrewBucklin]

This is still a problem on 2025.12.3.

EDIT: For those of you who need a temporary workarounduntil this is fixed, remove the group bindings and create an expression policy binding. Here's an example expression to only show the application if the user is a member of both groups.

in_group1 = ak_is_group_member(request.user, name="Some Group")
in_group2 = ak_is_group_member(request.user, name="Some Other Group")

# Return True only if ALL are true
return in_group1 and in_group2