From 430c5719e1afac5ffcdb6bc603bce86beb263d07 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@sdko.org>
Date: Sat, 3 Jan 2026 15:32:22 -0500
Subject: [PATCH] core: handle deserialization errors from FileField migration
 (#19067)

after migration 0054 changed icon fields from Django FileField to a TextField based custom FileField, old sessions which had serialized Source/Application model instances fail to deserialize.

The old FieldFile descriptors try to access field.storage which no longer exists.

We can't edit that migration since it has already been ran by many/

So, you  add AttributeError and TypeError to exception handling in SessionStore.decode() to return an empty session instead of crashing with 500.
---
 authentik/core/sessions.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/authentik/core/sessions.py b/authentik/core/sessions.py
index 81c5c0464189..54fd64339825 100644
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@@ -66,9 +66,12 @@ def encode(self, session_dict):
     def decode(self, session_data):
         try:
             return pickle.loads(session_data)  # nosec
-        except pickle.PickleError:
-            # ValueError, unpickling exceptions. If any of these happen, just return an empty
-            # dictionary (an empty session)
+        except (pickle.PickleError, AttributeError, TypeError):
+            # PickleError, ValueError - unpickling exceptions
+            # AttributeError - can happen when Django model fields (e.g., FileField) are unpickled
+            #                  and their descriptors fail to initialize (e.g., missing storage)
+            # TypeError - can happen with incompatible pickled objects
+            # If any of these happen, just return an empty dictionary (an empty session)
             pass
         return {}