v26.2.14

v26.2.14

Fix SCIM group memberships showing different results on /Groups and /Users

For identities that belong to many SCIM groups, group changes could leave reads disagreeing with each other. GET /Groups/{id} listed the user as a member, but GET /Users/{id} did not — or vice versa.

This is fixed. Group membership changes on /scim/{client}/v2/Groups/{id} (PATCH, PUT, DELETE) now either fully succeed or fully fail. A failed request returns a clear error and leaves no partial state behind, so you can safely retry. Identities with hundreds of group memberships are also fully supported.

verify_new_address hook rejects duplicate email addresses

The verify_new_address settings hook now checks whether the proposed new address is already owned by another identity before starting a verification flow.

Previously, a user could initiate an email change to an address that was already registered. The hook would send a verification code, and only at the point of code submission would the conflict surface. In the worst case — a race where another identity claimed the address between code generation and submission — the error was shown only on the verification page, with no way to recover without restarting the settings flow.

The hook now rejects the change immediately on settings submission if the address is taken, returning a duplicate credentials error on the settings page. If the race still occurs (address claimed after the hook runs but before the code is submitted), the duplicate credentials error is also shown on the verification page. Clicking "Resend code" after that error re-checks uniqueness and shows the same error rather than sending another code.