9.6.0-alpha.55 (2026-03-22)

Bug Fixes

• Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96) (#10278) (875cf10)

9.6.0-alpha.54 (2026-03-22)

Bug Fixes

• MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp) (#10275) (5e70094)

8.6.61 (2026-03-22)

Bug Fixes

• Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96) (#10279) (5b8998e)

8.6.60 (2026-03-22)

Bug Fixes

• MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp) (#10276) (fc3da35)

9.6.0-alpha.53 (2026-03-21)

Bug Fixes

• SQL injection via aggregate and distinct field names in PostgreSQL adapter (GHSA-p2w6-rmh7-w8q3) (#10272) (bdddab5)

9.6.0-alpha.52 (2026-03-21)

Bug Fixes

• Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr) (#10270) (fbac847)

9.6.0-alpha.51 (2026-03-21)

Bug Fixes

• Create CLP not enforced before user field validation on signup (#10268) (a0530c2)

9.6.0-alpha.50 (2026-03-21)

Bug Fixes

• Account lockout race condition allows bypassing threshold via concurrent requests (#10266) (ff70fee)

9.6.0-alpha.49 (2026-03-21)

Bug Fixes

• Add configurable batch request sub-request limit via option requestComplexity.batchRequestLimit (#10265) (164ed0d)

9.6.0-alpha.48 (2026-03-21)

Bug Fixes

• Session update endpoint allows overwriting server-generated session fields (GHSA-jc39-686j-wp6q) (#10263) (ea68fc0)