From d8faaa97261d4d68c623040e67c44ee6ca2338d2 Mon Sep 17 00:00:00 2001
From: ory-bot <60093411+ory-bot@users.noreply.github.com>
Date: Mon, 4 May 2026 10:47:39 +0000
Subject: [PATCH] chore(docs): update OEL image tag

---
 .../self-hosted/oel/keto/changelog/v26.2.9.md | 17 ++++++++
 .../oel/kratos/changelog/v26.2.9.md           | 42 +++++++++++++++++++
 .../oel/oathkeeper/changelog/v26.2.9.md       | 17 ++++++++
 .../oel/oauth2/changelog/v26.2.9.md           | 17 ++++++++
 docs/self-hosted/oel/oel-hydra-image-tags.md  |  1 +
 docs/self-hosted/oel/oel-keto-image-tags.md   |  1 +
 docs/self-hosted/oel/oel-kratos-image-tags.md |  1 +
 .../oel/oel-oathkeeper-image-tags.md          |  1 +
 docs/self-hosted/oel/oel-polis-image-tags.md  |  1 +
 .../oel/polis/changelog/v26.2.9.md            | 17 ++++++++
 10 files changed, 115 insertions(+)
 create mode 100644 docs/self-hosted/oel/keto/changelog/v26.2.9.md
 create mode 100644 docs/self-hosted/oel/kratos/changelog/v26.2.9.md
 create mode 100644 docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md
 create mode 100644 docs/self-hosted/oel/oauth2/changelog/v26.2.9.md
 create mode 100644 docs/self-hosted/oel/polis/changelog/v26.2.9.md

diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.9.md b/docs/self-hosted/oel/keto/changelog/v26.2.9.md
new file mode 100644
index 000000000..bbfea35fb
--- /dev/null
+++ b/docs/self-hosted/oel/keto/changelog/v26.2.9.md
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.9.md b/docs/self-hosted/oel/kratos/changelog/v26.2.9.md
new file mode 100644
index 000000000..d0087d58d
--- /dev/null
+++ b/docs/self-hosted/oel/kratos/changelog/v26.2.9.md
@@ -0,0 +1,42 @@
+## v26.2.9
+
+### Harden identity-schema loading against denial-of-service
+
+Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema
+compiler, kratos now rejects schemas that exceed any of the following limits:
+
+- 1 MiB body size on the fetched schema document.
+- 32 levels of nested objects or arrays.
+- 1024 keys per object (`properties`, `patternProperties`, `$defs`, etc.).
+- 128 elements per array (`allOf`, `anyOf`, `oneOf`, tuple `items`, etc.).
+- 8192 total nodes across the schema tree.
+
+The same pass also rejects `$ref` values that resolve to the document root (`#`, `#/`, or empty) — these produce a
+self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate
+time. Invalid regular expressions in `pattern` and `patternProperties` keys are now caught up front, instead of panicking deep in
+the upstream compiler.
+
+When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches
+an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are
+unaffected.
+
+The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything
+larger.
+
+Existing identity schemas at realistic sizes (well under all limits) are unaffected.
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md
new file mode 100644
index 000000000..bbfea35fb
--- /dev/null
+++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md
new file mode 100644
index 000000000..bbfea35fb
--- /dev/null
+++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
diff --git a/docs/self-hosted/oel/oel-hydra-image-tags.md b/docs/self-hosted/oel/oel-hydra-image-tags.md
index 91bd4c27d..13b6ceb60 100644
--- a/docs/self-hosted/oel/oel-hydra-image-tags.md
+++ b/docs/self-hosted/oel/oel-hydra-image-tags.md
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |
diff --git a/docs/self-hosted/oel/oel-keto-image-tags.md b/docs/self-hosted/oel/oel-keto-image-tags.md
index 8203ed3e9..6dc486444 100644
--- a/docs/self-hosted/oel/oel-keto-image-tags.md
+++ b/docs/self-hosted/oel/oel-keto-image-tags.md
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |
diff --git a/docs/self-hosted/oel/oel-kratos-image-tags.md b/docs/self-hosted/oel/oel-kratos-image-tags.md
index 39665bcdb..e7a8a18f0 100644
--- a/docs/self-hosted/oel/oel-kratos-image-tags.md
+++ b/docs/self-hosted/oel/oel-kratos-image-tags.md
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |
diff --git a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md
index 065bba49e..2681d44a2 100644
--- a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md
+++ b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |
diff --git a/docs/self-hosted/oel/oel-polis-image-tags.md b/docs/self-hosted/oel/oel-polis-image-tags.md
index b368d29fd..2c5d0b85a 100644
--- a/docs/self-hosted/oel/oel-polis-image-tags.md
+++ b/docs/self-hosted/oel/oel-polis-image-tags.md
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |
diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.9.md b/docs/self-hosted/oel/polis/changelog/v26.2.9.md
new file mode 100644
index 000000000..bbfea35fb
--- /dev/null
+++ b/docs/self-hosted/oel/polis/changelog/v26.2.9.md
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.