This release includes the fix for the LDAP injection vulnerability
in auth.ldap module (advisory GHSA-5835-4gvc-32pc, CVE-2026-40193).
All users using auth.ldap are advised to upgrade, as this vulnerability
can be used to extract LDAP directory information, including password
hashes and other authorization information.
Thanks @ RealHurrison and @Ghost1032 for detailed report!
Fixes
- auth/ldap: Fix GHSA-5835-4gvc-32pc
- module: Break dependency cycles when loading config correctly (Thanks @balejk)