v26.2.15

v26.2.15

Block invisible-character duplicate accounts

Hidden characters in an email or username — zero-width spaces, joiners, soft hyphens, the byte-order mark, and similar invisibles — are now removed before the identifier is stored. This stops someone from registering a second account that looks identical to an existing one but is treated as different. Identifiers are also case- and width-normalized, so ＡＬＩＣＥ@example.com and [email protected] are the same account.

International identifiers keep working: Hebrew, Arabic, and emoji are all accepted. Characters that merely look alike across scripts — such as the Cyrillic “а” and the Latin “a” — are kept distinct and do not collide.

Fix SCIM Group attribute filtering returning HTTP 500

GET /scim/{client}/v2/Groups/{id}?attributes=... and GET /scim/{client}/v2/Groups?attributes=... now return the requested attributes correctly. Previously, any attributes= value on a Group endpoint caused a server-side panic that surfaced as HTTP 500 with an internal stack trace in the response body.

The excludedAttributes= form on Group endpoints, and all attribute filtering on User endpoints, were unaffected and continue to work as before.