Back to all versions
4.9.1
2026-01-14 patch
Bug Fixes 6
- Removed the requirement for a password from the SMTP mail configuration. This allows users to configure generic SMTP servers that don't require authentication, such as internal relay servers that reject authentication attempts.smtp email
- Implement missing filters on ListAdministrators endpoint (#11319)Added implementation for and, or, not, and role filters on the ListAdministrators API endpoint. These filters were previously returning List.Query.Invalid errors due to missing implementation.api admin
- Populate date variable when building without ldflags (#11316)Fixed an issue where the date variable remained empty when building ZITADEL through go build or IDE debugging tools without ldflags. This caused an empty version string which prevented projection upgrades on dev systems.build projections
- Handle automatic re-authentication using id_token_hint properly in login v1 (#11326)Fixed an issue where automatic re-authentication in login v1 was loading the wrong login policy (from default org/instance instead of user's organization). This caused MFA required errors when policy settings differed between the user's org and default policies. The auth request now properly loads the user from id_token_hint and aggregates with their organization information.login auth mfa
- Fixed the login flow to properly respect the ignoreUnknownUsernames setting. Previously, when users were rejected due to login settings or not found, the system would return 'User not found' errors instead of redirecting to the password page, allowing username enumeration attacks.login security
- Use onChange instead of onBlur with react-hook-form in login UI (#11354)Fixed an issue where submit buttons were not correctly enabled on blur events by changing the react-hook-form mode property to onChange.login ui