security: fix CVE-2025-53942

[BeryJu]

Details

REPLACE ME

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	a74c920
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/687f7f40d45b070008870f3b
😎 Deploy Preview	https://deploy-preview-15719--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	a74c920
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/687f7f405d893a00080196e0
😎 Deploy Preview	https://deploy-preview-15719--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 95.23810% with 1 line in your changes missing coverage. Please review.

Project coverage is 93.18%. Comparing base (af2885a) to head (a74c920).
Report is 4 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/core/middleware.py	75.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #15719   +/-   ##
=======================================
  Coverage   93.17%   93.18%           
=======================================
  Files         831      831           
  Lines       44161    44181   +20     
=======================================
+ Hits        41149    41169   +20     
  Misses       3012     3012           

Flag	Coverage Δ
e2e	46.60% <14.28%> (-0.02%)	⬇️
integration	23.46% <4.76%> (-0.01%)	⬇️
unit	91.28% <95.23%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	a74c920
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/687f7f40c6217200086d111f

[BeryJu]

/cherry-pick version-2025.6

[BeryJu]

/cherry-pick version-2025.4

[gcp-cherry-pick-bot]

Cherry-pick failed with Merge error 7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd into temp-cherry-pick-64dfac-version-2025.6

[gcp-cherry-pick-bot]

Cherry-pick failed with Merge error 7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd into temp-cherry-pick-64dfac-version-2025.4

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-a74c920a6588b708a5ae79c756ecbe855fa47fcd
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-a74c920a6588b708a5ae79c756ecbe855fa47fcd

Afterwards, run the upgrade commands from the latest release notes.

[f0o]

When will the details about CVE-2025-53942 be disclosed?

//EDIT: Nevermind, it's part of the PR 🙃