Changelog

ZITADEL
Back to all versions

4.13.0

2025-05-22
Contains Breaking Changes
minor

Breaking Changes 1

  • Update Login V2 to Next.js 16 and React 19 with theme changes breaking
    Updated framework to Next.js 16.1.6 and React 19.2.4. Introduced an API caching strategy for settings and updated default theme colors from blue to a neutral black/white palette.
    Login V2 Next.js

Security 1

  • Resolve vulnerabilities in tar and rollup dependencies (#11889)
    Updated node-tar and Rollup 4 to address vulnerabilities including CVE-2026-23745.
    Dependencies

Features 3

  • Support DSN/URL connection strings for PostgreSQL and Redis (#11468, #11469)
    A DSN (Data Source Name) field for PostgreSQL and a URL field for Redis have been added to the configuration. Connection pool and tuning settings remain available as overlays.
    Database PostgreSQL Redis
  • Update Login V2 to Next.js 16 and React 19 with theme changes breaking
    Updated framework to Next.js 16.1.6 and React 19.2.4. Introduced an API caching strategy for settings and updated default theme colors from blue to a neutral black/white palette.
    Login V2 Next.js
  • Metadata updates in Actions v2 via RetrieveIdentityProviderIntent (#11369, #11719, #11747)
    The RetrieveIdentityProviderIntent API now supports metadata updates via the new UserAction 'oneof' field (CreateUser/UpdateUser).
    Actions v2 User Service

Bug Fixes 10

  • Validate organization existence before creating user (#11647, #11532)
    Prevents the creation of users associated with a non-existent Organization ID.
    User Service v2 API
  • Fix manager removal in Console (#11627, #11543)
    Corrected an event emission bug in SearchUserAutocompleteComponent that prevented its removal in the UI.
    Console
  • Fix organization column display in user grants (#11742, #10822)
    Ensures the 'org' column in the user grants table correctly displays the granted organization name.
    Console
  • Fix role assignment deletion during un-modified saves (#11756, #10517)
    Prevents the accidental deletion of all roles when a user grant is saved without modifications.
    Console
  • Switch Console to WebKeys v2 stable endpoints (#11807, #10773)
    Updated Console to use stable v2 WebKey endpoints instead of v2beta.
    Console v2 API
  • Disable auto-input features for usernames in Login UI (#11129, #11124)
    Sets auto-capitalization to none and disables auto-correct/spell-checking on username fields to prevent issues with case-sensitive logins on mobile devices.
    Login UI
  • Resolve HTTP/2 memory leaks in Login V2 (#11830, #10562)
    Switched to connect-rpc based HTTP/1.1 transport to resolve a memory leak associated with HTTP/2 clients in the Login V2 application.
    Login V2
  • Allow IDP registration when local registration is disabled in Login V2 (#11731, #11138)
    Removed the dependency on 'allowRegister' for IDP redirects, allowing external registration even if local registration is disabled.
    Login V2
  • Fix LDAP login flow and redirection in Login V2 (#11788, #11096)
    Ensures LDAP logic correctly redirects with preserved context parameters, fixing 404 errors in the flow.
    Login V2 LDAP
  • Fix ui_locales being ignored in Login V2 (#11617)
    Ensures ui_locales from the authRequest are properly validated and honored, with a new environment option to control whether RP or user preferences take priority.
    Login V2

Deprecations 1

  • Deprecate AddHumanUser and UpdateHumanUser in Actions v2
    AddHumanUser and UpdateHumanUser are deprecated in favor of the more flexible UserAction field which supports metadata updates.
    Actions v2

Contributors 13

M @mridang A @adlerhurst P @peintnermax C @conblem G @grvijayan I @IAM-marco W @wim07101993 V @vitorbari L @livio-a D @dataviruset E @elinashoko T @TomRoyls F @fforootd