arrow-left Back to Announcements
DATE:
AUTHOR:
Ory Team
Ory Network Ory Hydra Ory Kratos Ory Keto Ory Oathkeeper Ory Polis Ory Elements Ory Enterprise License

Ory Network, Ory Hydra, Ory Kratos, Ory Keto, Ory Oathkeeper, Ory Polis, Ory Elements v26.2.9 released

DATE:
AUTHOR: Ory Team

Ory Network

Hide the "Sign up" link on the Account Experience login page

Admins can now hide the "Sign up" link on the login card without disabling registration. Toggle the new Show registration link on login page switch in the Ory Console under Account Experience > UI theming. The switch appears only when the new Account Experience is enabled, since the legacy Hosted UI is unaffected by this setting.

The switch is cosmetic only:

  • The /ui/registration page remains reachable by direct URL.

  • SSO first-time login still auto-provisions accounts.

For self-hosted @ory/elements-react consumers, the same behavior is available via the optional hide_registration_link field on ProjectConfiguration. The default is false (link is shown) at every layer, so existing projects see no change.

Identity region API

Operators on Ory Network's Global Region can now explicitly choose where each identity's data is homed.

  • The Kratos admin identity API accepts an optional region field on POST, PATCH (JSON-patch add/replace on /region), GET, and batch import endpoints.

  • Self-service responses include region read-only on /sessions/whoami and in the identity object embedded in every flow response.

  • Enterprise-auth SSO (SCIM, SAML, OIDC) honors a region output from Jsonnet mappers and a new default_region on organizations.

  • Region values are validated against the project's home_region using a containment model: Global contains every region; super-regions EU, Asia, and US Continental (US east + west) contain their specific regions. Out-of-bounds values are rejected with 400 Bad Request.

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

Search Enterprise SSO organizations in Console

The Enterprise SSO organizations list now has a search field. Type a name or domain to filter the list and jump to that organization's settings.

Show code recipient address during refresh and 2FA login

When a user requests a one-time code during a refresh or second-factor login, the "code sent" screen now displays the exact address the code was delivered to instead of the generic "the address you provided" phrasing. This helps users recognize which of their addresses was used.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Hydra

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Kratos

Harden identity-schema loading against denial-of-service

Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema compiler, kratos now rejects schemas that exceed any of the following limits:

  • 1 MiB body size on the fetched schema document.

  • 32 levels of nested objects or arrays.

  • 1024 keys per object (properties, patternProperties, $defs, etc.).

  • 128 elements per array (allOf, anyOf, oneOf, tuple items, etc.).

  • 8192 total nodes across the schema tree.

The same pass also rejects $ref values that resolve to the document root (#, #/, or empty) — these produce a self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate time. Invalid regular expressions in pattern and patternProperties keys are now caught up front, instead of panicking deep in the upstream compiler.

When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are unaffected.

The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything larger.

Existing identity schemas at realistic sizes (well under all limits) are unaffected.

Identity region API

Operators on Ory Network's Global Region can now explicitly choose where each identity's data is homed.

  • The Kratos admin identity API accepts an optional region field on POST, PATCH (JSON-patch add/replace on /region), GET, and batch import endpoints.

  • Self-service responses include region read-only on /sessions/whoami and in the identity object embedded in every flow response.

  • Enterprise-auth SSO (SCIM, SAML, OIDC) honors a region output from Jsonnet mappers and a new default_region on organizations.

  • Region values are validated against the project's home_region using a containment model: Global contains every region; super-regions EU, Asia, and US Continental (US east + west) contain their specific regions. Out-of-bounds values are rejected with 400 Bad Request.

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Keto

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Oathkeeper

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Polis

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Elements

Hide the "Sign up" link on the Account Experience login page

Admins can now hide the "Sign up" link on the login card without disabling registration. Toggle the new Show registration link on login page switch in the Ory Console under Account Experience > UI theming. The switch appears only when the new Account Experience is enabled, since the legacy Hosted UI is unaffected by this setting.

The switch is cosmetic only:

  • The /ui/registration page remains reachable by direct URL.

  • SSO first-time login still auto-provisions accounts.

For self-hosted @ory/elements-react consumers, the same behavior is available via the optional hide_registration_link field on ProjectConfiguration. The default is false (link is shown) at every layer, so existing projects see no change.

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).

  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).

  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).

  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).

  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).

  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).

  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

Show code recipient address during refresh and 2FA login

When a user requests a one-time code during a refresh or second-factor login, the "code sent" screen now displays the exact address the code was delivered to instead of the generic "the address you provided" phrasing. This helps users recognize which of their addresses was used.

This is now available on Ory Network, for the Ory Enterprise License, and will be part of the next Ory Open Source release.

Ory Terraform

No significant changes in this release.

Powered by LaunchNotes