ory · ory-bot · May 4, 2026 · May 11, 2026
@@ -0,0 +1 @@
+No changelog entries found for keto/oel in versions v26.2.10
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,60 @@
+## v26.2.10
+
+### Add unified bulk session management endpoint
+
+The admin session API now exposes a single endpoint for bulk disable and bulk delete operations across multiple identities or
+sessions:
+
+- `POST /admin/sessions` (`manageSessions`)
+
+The `action` field selects the operation:
+
+- `action: "disable"` — soft-revoke matching sessions (sets `active = false`, preserves audit data).
+- `action: "delete"` — permanently delete matching sessions.
+
+Targets are filtered by `identities` (a list of identity IDs) or `sessions` (a list of session IDs); exactly one of the two must
+be provided. To scope the operation to every session in the network, pass `identities: ["*"]`; the wildcard is not accepted in the
+`sessions` field and may not be mixed with explicit IDs. Up to 500 explicit IDs are accepted per call.
+
+All requests respond `200 OK` with `{"processed": N, "more": <bool>}`. `processed` reports how many rows the call affected (for
+`disable`, only sessions that were active before the call). `more` is `true` only when a wildcard request reached the per-call
+batch limit and additional matching rows may remain; callers should re-issue the same request to continue draining. Explicit-IDs
+requests always return `more: false`.
+
+```ts
+client.manageSessions({ action: "disable", identities: ["uuid-a", "uuid-b"] })
+client.manageSessions({ action: "delete", sessions: ["uuid-c"] })
+client.manageSessions({ action: "disable", identities: ["*"] })
+```
+
+No existing endpoints are changed.
+
+### Fix admin identity import for TOTP, lookup-secret, and passkey credentials
+
+This change fixes two related issues with the admin identity import API (`POST /admin/identities` and
+`PUT /admin/identities/{id}`).
+
+**TOTP and lookup-secret can now be used at AAL2 login after import.** Previously, the import wrote the credential row but did not
+write the matching row in `identity_credential_identifiers`, so the AAL2 login flow could not resolve the credential and returned
+"You have no TOTP device set up." (`4000015`) for TOTP, or "You have not configured backup codes yet." for lookup-secret.
+
+**Passkey imports without a `user_handle` are now rejected with a `400`.** A passkey's identifier is the `user_handle` returned by
+the authenticator during the WebAuthn assertion. The userHandle is generated at registration time and stored on the authenticator,
+so it cannot be reconstructed by the server: the import has to supply it, or inherit it from a previously persisted passkey
+credential. Previously, an import that omitted `user_handle` would silently persist a non-functional credential. The import now
+rejects this case up front, and also rejects imports that supply an empty `credentials.passkey.config.credentials` list.
+
+### Reject imported password hashes with extreme cost parameters
+
+Kratos now bounds the cost parameters embedded in imported password hashes. Hashes that declare cost parameters far above any sane
+production value are rejected at the admin identity import API with a `400 Bad Request`, and at login time the comparator returns
+a clear error instead of allocating gigabytes of memory or running for hours.
+
+This closes a denial-of-service class where an attacker with write access to the identity graph could persist a hash whose decoded
+parameters would crash the Kratos process on every subsequent login attempt for that identity.
+
+The bounds apply to Argon2 (`m`, `t`, `p`), PBKDF2 (`i`), plain scrypt (`N`, `r`, `p`), Firebase scrypt (`ln`, `r`, `p`), and
+bcrypt (`cost`). They are set comfortably above strong real-world configurations: Argon2 memory up to 1 GiB, PBKDF2 iterations up
+to 10,000,000, scrypt N up to 2^20, Firebase scrypt `ln` up to 17, and bcrypt cost up to 17.
+
+Imports of correctly-configured hashes are unaffected.
@@ -0,0 +1,42 @@
+## v26.2.9
+
+### Harden identity-schema loading against denial-of-service
+
+Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema
+compiler, kratos now rejects schemas that exceed any of the following limits:
+
+- 1 MiB body size on the fetched schema document.
+- 32 levels of nested objects or arrays.
+- 1024 keys per object (`properties`, `patternProperties`, `$defs`, etc.).
+- 128 elements per array (`allOf`, `anyOf`, `oneOf`, tuple `items`, etc.).
+- 8192 total nodes across the schema tree.
+
+The same pass also rejects `$ref` values that resolve to the document root (`#`, `#/`, or empty) — these produce a
+self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate
+time. Invalid regular expressions in `pattern` and `patternProperties` keys are now caught up front, instead of panicking deep in
+the upstream compiler.
+
+When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches
+an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are
+unaffected.
+
+The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything
+larger.
+
+Existing identity schemas at realistic sizes (well under all limits) are unaffected.
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,7 @@
+## v26.2.10
+
+### Add rule ID and OpenTelemetry trace context to Oathkeeper logs
+
+Oathkeeper proxy and decision API log entries now include the matched access rule ID as `rule_id` and, when an OpenTelemetry span
+is in scope, the trace and span ID as `otel.trace_id` and `otel.span_id`. The trace fields use the same shape as other Ory
+services, so you can correlate Oathkeeper log entries with traces and with logs from upstream services without custom mapping.
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,6 @@
+## v26.2.10
+
+### Don't log spurious errors in Hydra OAuth 2.0 flows
+
+This change removes spurious "the OAuth 2.0 Authorization request must be aborted" messages from Hydra's logs, which do not
+indicate an error but simply that the user has been redirected.
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.10                                  | 2026-05-11   |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.10                                  | 2026-05-11   |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.10                                  | 2026-05-11   |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.10                                  | 2026-05-11   |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,7 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.10                                  | 2026-05-11   |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -0,0 +1 @@
+No changelog entries found for polis/oel in versions v26.2.10
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for keto/oel in versions v26.2.10
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		No changelog entries found for polis/oel in versions v26.2.10