ory · ory-bot · May 4, 2026
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,42 @@
+## v26.2.9
+
+### Harden identity-schema loading against denial-of-service
+
+Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema
+compiler, kratos now rejects schemas that exceed any of the following limits:
+
+- 1 MiB body size on the fetched schema document.
+- 32 levels of nested objects or arrays.
+- 1024 keys per object (`properties`, `patternProperties`, `$defs`, etc.).
+- 128 elements per array (`allOf`, `anyOf`, `oneOf`, tuple `items`, etc.).
+- 8192 total nodes across the schema tree.
+
+The same pass also rejects `$ref` values that resolve to the document root (`#`, `#/`, or empty) — these produce a
+self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate
+time. Invalid regular expressions in `pattern` and `patternProperties` keys are now caught up front, instead of panicking deep in
+the upstream compiler.
+
+When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches
+an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are
+unaffected.
+
+The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything
+larger.
+
+Existing identity schemas at realistic sizes (well under all limits) are unaffected.
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.
@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -1,5 +1,6 @@
 | Image Tag                                | Release Date |
 | ---------------------------------------- | ------------ |
+| 26.2.9                                   | 2026-05-04   |
 | 26.2.8                                   | 2026-04-28   |
 | 26.2.7                                   | 2026-04-24   |
 | 26.2.6                                   | 2026-04-22   |

@@ -0,0 +1,17 @@
+## v26.2.9
+
+### Patch security vulnerabilities in dependencies
+
+Bump several dependencies to patched versions to address security advisories reported by Dependabot.
+
+Notable updates:
+
+- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string
+  literals).
+- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface).
+- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header).
+- `postcss` to `>=8.5.10` (XSS via unescaped `</style>` in CSS stringify output).
+- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators).
+- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion).
+- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`,
+  `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.