From 36cf019d70b621c14e696f13b049c8c67b5ed79b Mon Sep 17 00:00:00 2001
From: Sebastian Knackstedt <me@sebknack.de>
Date: Sat, 1 Nov 2025 18:59:12 +0100
Subject: [PATCH] stages/user_write: Fix user attributes are not sanitized
 under certain conditions

---
 authentik/stages/user_write/stage.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/authentik/stages/user_write/stage.py b/authentik/stages/user_write/stage.py
index 5c5e15819469..36671eebca38 100644
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@@ -115,7 +115,11 @@ def update_user(self, user: User):
                 continue
             # For exact attributes match, update the dictionary in place
             elif key == "attributes":
-                user.attributes.update(value)
+                if isinstance(value, dict):
+                    sanitized_values = {k: sanitize_item(v) for k, v in value.items()}
+                    user.attributes.update(sanitized_values)
+                else:
+                    user.attributes.update(value)
             # If using dot notation, use the correct helper to update the nested value
             elif key.startswith("attributes.") or key.startswith("attributes_"):
                 UserWriteStageView.write_attribute(user, key, value)