From e6b284f1dc4b5c533cafb45cbc39bc5021ab09a7 Mon Sep 17 00:00:00 2001
From: adamwalach <8530211+adamwalach@users.noreply.github.com>
Date: Wed, 29 Apr 2026 07:06:56 +0000
Subject: [PATCH] chore(docs): update of OEL changelog

---
 .../self-hosted/oel/keto/changelog/v26.2.8.md |  6 ++++++
 .../oel/kratos/changelog/v26.2.8.md           |  6 ++++++
 .../oel/oathkeeper/changelog/v26.2.8.md       |  6 ++++++
 .../oel/oauth2/changelog/v26.2.7.md           | 11 +++++++++-
 .../oel/oauth2/changelog/v26.2.8.md           | 20 +++++++++++++++++++
 .../oel/polis/changelog/v26.2.8.md            |  1 +
 6 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 docs/self-hosted/oel/keto/changelog/v26.2.8.md
 create mode 100644 docs/self-hosted/oel/kratos/changelog/v26.2.8.md
 create mode 100644 docs/self-hosted/oel/oathkeeper/changelog/v26.2.8.md
 create mode 100644 docs/self-hosted/oel/oauth2/changelog/v26.2.8.md
 create mode 100644 docs/self-hosted/oel/polis/changelog/v26.2.8.md

diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.8.md b/docs/self-hosted/oel/keto/changelog/v26.2.8.md
new file mode 100644
index 000000000..03ee1d36a
--- /dev/null
+++ b/docs/self-hosted/oel/keto/changelog/v26.2.8.md
@@ -0,0 +1,6 @@
+## v26.2.8
+
+### SSRF protection improvements
+
+Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal
+IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.8.md b/docs/self-hosted/oel/kratos/changelog/v26.2.8.md
new file mode 100644
index 000000000..03ee1d36a
--- /dev/null
+++ b/docs/self-hosted/oel/kratos/changelog/v26.2.8.md
@@ -0,0 +1,6 @@
+## v26.2.8
+
+### SSRF protection improvements
+
+Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal
+IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.8.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.8.md
new file mode 100644
index 000000000..03ee1d36a
--- /dev/null
+++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.8.md
@@ -0,0 +1,6 @@
+## v26.2.8
+
+### SSRF protection improvements
+
+Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal
+IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.7.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.7.md
index a750d0d03..6bc90746c 100644
--- a/docs/self-hosted/oel/oauth2/changelog/v26.2.7.md
+++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.7.md
@@ -1 +1,10 @@
-No changelog entries found for hydra/oel in versions v26.2.7
+## v26.2.7
+
+### New indexes on Hydra OAuth 2.0 token tables
+
+Hydra adds `(nid, subject, client_id)` indexes to `hydra_oauth2_access` and `hydra_oauth2_refresh`. The indexes are created online
+on CockroachDB and PostgreSQL, so applying the upgrade does not block reads or writes against the token tables during the schema
+change.
+
+On Hydra OEL and Hydra Cloud, the new indexes accelerate consent session revocation, complementing recent code-level improvements
+to the OEL revoke flow.
diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.8.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.8.md
new file mode 100644
index 000000000..a34f3cc9b
--- /dev/null
+++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.8.md
@@ -0,0 +1,20 @@
+## v26.2.8
+
+### Fix 409 Conflict errors on fresh CockroachDB v26.1 installs
+
+Fresh Hydra installs on CockroachDB v26.1 returned a
+`409 Conflict: Unable to insert or update resource because a resource with that value exists already` error on the first request
+to `/.well-known/jwks.json` after running migrations. The error blocked Hydra from auto-generating its JSON Web Key Sets, which in
+turn prevented OAuth token verification by relying parties.
+
+**Only fresh installs are affected.** Existing deployments that ran the initial migrations on an earlier CockroachDB version and
+later upgraded their cluster to v26.1 are not affected, because the problematic behavior happens at migration time rather than at
+cluster upgrade time. Deployments on PostgreSQL, MySQL, or SQLite are also unaffected.
+
+A new CockroachDB-only migration drops both phantom indexes if they are present. No operator action is required beyond applying
+migrations.
+
+### SSRF protection improvements
+
+Error messages originating from the SSRF protection mechanism no longer leak IP addresses if the hostname resolves to an internal
+IP address. This prevents SSRF recon through user-supplied URLs and hostnames.
diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.8.md b/docs/self-hosted/oel/polis/changelog/v26.2.8.md
new file mode 100644
index 000000000..bc1fe3e95
--- /dev/null
+++ b/docs/self-hosted/oel/polis/changelog/v26.2.8.md
@@ -0,0 +1 @@
+No changelog entries found for polis/oel in versions v26.2.8