ory · deepakprabhakara · Apr 22, 2026 · Apr 20, 2026 · Apr 22, 2026
@@ -0,0 +1,35 @@
+## v26.2.5
+
+### Limit tree size in expand endpoint (default 4k nodes)
+
+The expand endpoint now returns a maximum of 4,000 nodes by default to reduce backend resource usage. For OSS and OEL deployments,
+this limit can be configured via `limit.max_expand_size` config.
+
+### Fix shared mutable state in error handling
+
+Error globals such as `herodot.ErrNotFound` were package-level variables shared across all requests. Calling methods like
+`WithReason` or `WithDetail` mutated these variables in place and returned the same pointer, so any request that added context to
+an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited
+those stale details.
+
+As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were
+reported with details belonging to an unrelated request, or with fields missing that should have been present.
+
+The new API creates a fresh error instance on each call, so each request gets its own copy.
+
+The following values were at risk of leaking into unrelated error responses:
+
+- HTTP cookie names (Kratos CSRF flow)
+- Entity UUIDs (identity, organization, etc)
+- OAuth2 error hints (Hydra and Kratos Hydra bridge)
+- OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
+- External schema fetch URLs and HTTP status codes (Kratos schema handler)
+- JWT claims and issuers (Oathkeeper JWT authenticator)
+
+No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path
+on the same node — even back-to-back with no concurrency — could exchange error details.
+
+Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an
+inconsistent or partially written state.
+
+This change has no externally observable effect other than fixing the information leak in error paths.
@@ -0,0 +1 @@
+No changelog entries found for keto/oel in versions v26.2.6
@@ -0,0 +1,59 @@
+## v26.2.5
+
+### Fix shared mutable state in error handling
+
+Error globals such as `herodot.ErrNotFound` were package-level variables shared across all requests. Calling methods like
+`WithReason` or `WithDetail` mutated these variables in place and returned the same pointer, so any request that added context to
+an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited
+those stale details.
+
+As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were
+reported with details belonging to an unrelated request, or with fields missing that should have been present.
+
+The new API creates a fresh error instance on each call, so each request gets its own copy.
+
+The following values were at risk of leaking into unrelated error responses:
+
+- HTTP cookie names (Kratos CSRF flow)
+- Entity UUIDs (identity, organization, etc)
+- OAuth2 error hints (Hydra and Kratos Hydra bridge)
+- OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
+- External schema fetch URLs and HTTP status codes (Kratos schema handler)
+- JWT claims and issuers (Oathkeeper JWT authenticator)
+
+No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path
+on the same node — even back-to-back with no concurrency — could exchange error details.
+
+Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an
+inconsistent or partially written state.
+
+This change has no externally observable effect other than fixing the information leak in error paths.
+
+### Native OIDC registration now returns the flow ID when required traits are missing
+
+When a native or API-based OIDC registration flow encounters a validation error because of missing required identity traits, the
+`return_to` redirect now includes the `flow` query parameter alongside the existing `code` parameter.
+
+This allows native clients to fetch the registration flow, identify which fields are missing, and re-submit with complete data.
+Previously, only the `code` parameter was included, leaving native clients with no way to recover from missing traits during
+social sign-in registration.
+
+Browser flows were not affected by this issue.
+
+### Phone numbers are now normalized to E.164 format
+
+Kratos now normalizes phone numbers to E.164 format when used as identifiers, verifiable addresses, or recovery addresses. This
+ensures consistent storage and lookup regardless of how a user enters their phone number (with spaces, dashes, or parentheses).
+
+Existing identities with non-normalized phone numbers continue to work. A new CLI command `kratos migrate normalize-phone-numbers`
+is available to normalize legacy phone data in the database. Run this command after deploying the update to ensure all phone
+numbers are in E.164 format.
+
+### Render identity schema `enum` traits as dropdowns
+
+Identity schema properties that declare an `enum` are now surfaced to the Account Experience and rendered as native `<select>`
+inputs, so users can pick from the allowed values instead of typing them into a free-form text box.
+
+Kratos attaches the enum values to the UI node as an `options` array on `InputAttributes`. When present, the Account Experience
+falls back to rendering the field as a dropdown; consumers that do not know about `options` continue to render a text input as
+before, so the change is backward compatible.
@@ -0,0 +1,65 @@
+## v26.2.6
+
+### Fix some incorrect WebAuthn error messages
+
+Some WebAuthn error messages were wrong: they mentioned TOTP instead of WebAuthn. They now have been fixed. This affect errors
+text and ID.
+
+### Correctly clear WebAuthn UI nodes on login error
+
+Due to a typo, WebAuthn UI nodes were not correctly cleared on login error, this has been fixed.
+
+#### Breaking changes
+
+This is technically a breaking change if you relied on the exact wording of the error message, or on specific error IDs.
+
+### Add `verify_new_address` settings hook
+
+A new `verify_new_address` hook is available for the settings profile strategy. When configured, it defers email or phone number
+changes until the new address is verified. The identity's traits are only updated after the user completes verification of the new
+address.
+
+This prevents immediate replacement of verified addresses and ensures the new address is reachable before applying the change.
+
+### Carry over upstream MFA to the Ory session
+
+Ory now trusts the authentication strength reported by upstream OpenID Connect providers. When a user signs in through an OIDC
+provider such as Auth0, Okta, Keycloak, PingFederate, Microsoft Entra v1, or any generic enterprise IdP, Ory reads the `acr`
+(Authentication Context Class Reference) and `amr` (Authentication Methods References) claims from the upstream ID token and
+records them on the resulting session.
+
+You can now mark a provider's login as AAL2 based on those claims. Two new configuration fields on every OIDC provider let you
+specify which upstream values count as "the user already completed MFA":
+
+- `aal2_acr_values` — list of upstream `acr` claim values (for example `urn:okta:loa:2fa:any`,
+  `http://schemas.openid.net/pape/policies/2007/06/multi-factor`) that elevate the session to AAL2.
+- `aal2_amr_values` — list of upstream `amr` claim values (`mfa`, `otp`, `hwk`, and other
+  [RFC 8176](https://www.rfc-editor.org/rfc/rfc8176.html) values) that elevate the session to AAL2 when any of them appears in the
+  upstream `amr` array.
+
+If neither list matches, the session falls back to AAL1. If you enforce AAL2 through `session.whoami_required_aal`, Ory prompts
+the user for a second factor only when the upstream IdP did not already provide one. Both fields are optional; leave them empty to
+keep today's behavior.
+
+The upstream `acr` and `amr` values are stored on the session's `authentication_methods` entry (`upstream_acr` and `upstream_amr`
+fields) for auditing. They are visible on `/sessions/whoami` and in webhook payloads.
+
+You can configure the new fields for each provider in the Ory Console under **Authentication → Social sign-in → Edit provider**.
+
+### SCIM group events now include externalId and displayName
+
+SCIM `group.created`, `group.updated`, and `group.deleted` telemetry events now carry the group's `externalId` and `displayName`
+as attributes, alongside the existing group ID. This lets downstream consumers correlate events with the provisioning source of
+truth without a separate lookup.
+
+### SCIM group updates no longer rewrite unchanged members
+
+When a SCIM group update touches a field that does not affect its members (for example, patching the group's `displayName` to the
+same value), Kratos no longer rewrites the member identities. As a result, no `IdentityUpdated` event is emitted for members whose
+SCIM data did not change.
+
+### SCIMGroupUpdated events now include added and removed identity IDs
+
+SCIMGroupUpdated telemetry events now carry two additional attributes, `SCIMGroupAddedIdentityIDs` and
+`SCIMGroupRemovedIdentityIDs`, listing the identity IDs that were added to or removed from the group by the update. Downstream
+consumers can use this to act on the specific membership change instead of having to diff group state themselves.
@@ -0,0 +1,30 @@
+## v26.2.5
+
+### Fix shared mutable state in error handling
+
+Error globals such as `herodot.ErrNotFound` were package-level variables shared across all requests. Calling methods like
+`WithReason` or `WithDetail` mutated these variables in place and returned the same pointer, so any request that added context to
+an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited
+those stale details.
+
+As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were
+reported with details belonging to an unrelated request, or with fields missing that should have been present.
+
+The new API creates a fresh error instance on each call, so each request gets its own copy.
+
+The following values were at risk of leaking into unrelated error responses:
+
+- HTTP cookie names (Kratos CSRF flow)
+- Entity UUIDs (identity, organization, etc)
+- OAuth2 error hints (Hydra and Kratos Hydra bridge)
+- OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
+- External schema fetch URLs and HTTP status codes (Kratos schema handler)
+- JWT claims and issuers (Oathkeeper JWT authenticator)
+
+No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path
+on the same node — even back-to-back with no concurrency — could exchange error details.
+
+Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an
+inconsistent or partially written state.
+
+This change has no externally observable effect other than fixing the information leak in error paths.
@@ -0,0 +1 @@
+No changelog entries found for oathkeeper/oel in versions v26.2.6
@@ -0,0 +1,30 @@
+## v26.2.5
+
+### Fix shared mutable state in error handling
+
+Error globals such as `herodot.ErrNotFound` were package-level variables shared across all requests. Calling methods like
+`WithReason` or `WithDetail` mutated these variables in place and returned the same pointer, so any request that added context to
+an error — reason text, details, etc, modified the global. The next request to reach an error path using the same error inherited
+those stale details.
+
+As a consequence, observability (logs, traces) for requests resulting in an error suffered from the same issue: some errors were
+reported with details belonging to an unrelated request, or with fields missing that should have been present.
+
+The new API creates a fresh error instance on each call, so each request gets its own copy.
+
+The following values were at risk of leaking into unrelated error responses:
+
+- HTTP cookie names (Kratos CSRF flow)
+- Entity UUIDs (identity, organization, etc)
+- OAuth2 error hints (Hydra and Kratos Hydra bridge)
+- OIDC provider URLs and raw upstream error responses (Kratos OIDC strategy)
+- External schema fetch URLs and HTTP status codes (Kratos schema handler)
+- JWT claims and issuers (Oathkeeper JWT authenticator)
+
+No data was written to persistent storage or transmitted outside the error response. Any two requests hitting the same error path
+on the same node — even back-to-back with no concurrency — could exchange error details.
+
+Under concurrent load, the shared writes also constitute a true data race, which can additionally produce errors in an
+inconsistent or partially written state.
+
+This change has no externally observable effect other than fixing the information leak in error paths.
@@ -0,0 +1 @@
+No changelog entries found for hydra/oel in versions v26.2.6
@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.6                                   | 2026-04-22   |
+| 26.2.5                                   | 2026-04-20   |
 | 26.2.4                                   | 2026-04-14   |
 | 26.2.3                                   | 2026-04-02   |
 | 26.2.2                                   | 2026-03-26   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.6                                   | 2026-04-22   |
+| 26.2.5                                   | 2026-04-20   |
 | 26.2.4                                   | 2026-04-14   |
 | 26.2.3                                   | 2026-04-02   |
 | 26.2.2                                   | 2026-03-26   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.6                                   | 2026-04-22   |
+| 26.2.5                                   | 2026-04-20   |
 | 26.2.4                                   | 2026-04-14   |
 | 26.2.3                                   | 2026-04-02   |
 | 26.2.2                                   | 2026-03-26   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.6                                   | 2026-04-22   |
+| 26.2.5                                   | 2026-04-20   |
 | 26.2.4                                   | 2026-04-14   |
 | 26.2.3                                   | 2026-04-02   |
 | 26.2.2                                   | 2026-03-26   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.6                                   | 2026-04-22   |
+| 26.2.5                                   | 2026-04-20   |
 | 26.2.4                                   | 2026-04-14   |
 | 26.2.3                                   | 2026-04-02   |
 | 26.2.2                                   | 2026-03-26   |

@@ -0,0 +1 @@
+No changelog entries found for polis/oel in versions v26.2.5
@@ -0,0 +1 @@
+No changelog entries found for polis/oel in versions v26.2.6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for keto/oel in versions v26.2.6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for oathkeeper/oel in versions v26.2.6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for hydra/oel in versions v26.2.6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for polis/oel in versions v26.2.5
Comment thread deepakprabhakara marked this conversation as resolved.