Search

Find a vulnerability

Search criteria

    72 vulnerabilities found for authentik by goauthentik

    CVE-2026-49448 (GCVE-0-2026-49448)

    Vulnerability from nvd – Published: 2026-06-02 20:31 – Updated: 2026-06-03 12:46
    VLAI
    Title
    authentik: SourceStage bypass via empty POST
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.6
    Affected: < 2026.2.4
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49448",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T12:46:21.867335Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T12:46:25.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:31:20.323Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8"
            }
          ],
          "source": {
            "advisory": "GHSA-xp7f-xjjx-gwm8",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SourceStage bypass via empty POST"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49448",
        "datePublished": "2026-06-02T20:31:20.323Z",
        "dateReserved": "2026-05-30T02:43:33.106Z",
        "dateUpdated": "2026-06-03T12:46:25.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49443 (GCVE-0-2026-49443)

    Vulnerability from nvd – Published: 2026-06-02 20:31 – Updated: 2026-06-03 13:59
    VLAI
    Title
    authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.6
    Affected: < 2026.2.4
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49443",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:59:05.016537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T13:59:41.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:31:09.108Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr"
            }
          ],
          "source": {
            "advisory": "GHSA-wr38-7xg8-fqxr",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49443",
        "datePublished": "2026-06-02T20:31:09.108Z",
        "dateReserved": "2026-05-30T02:43:33.106Z",
        "dateUpdated": "2026-06-03T13:59:41.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47201 (GCVE-0-2026-47201)

    Vulnerability from nvd – Published: 2026-06-02 20:30 – Updated: 2026-06-03 14:08
    VLAI
    Title
    authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47201",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:56:09.745826Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T14:08:11.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik\u0027s SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:55.674Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3"
            }
          ],
          "source": {
            "advisory": "GHSA-c3m2-jqmq-pvp3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47201",
        "datePublished": "2026-06-02T20:30:55.674Z",
        "dateReserved": "2026-05-18T22:07:37.436Z",
        "dateUpdated": "2026-06-03T14:08:11.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42849 (GCVE-0-2026-42849)

    Vulnerability from nvd – Published: 2026-06-02 20:30 – Updated: 2026-06-03 19:05
    VLAI
    Title
    authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T19:04:51.712238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T19:05:26.760Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:43.839Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3"
            }
          ],
          "source": {
            "advisory": "GHSA-pgff-5mx8-fqj3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42849",
        "datePublished": "2026-06-02T20:30:43.839Z",
        "dateReserved": "2026-04-30T16:44:48.378Z",
        "dateUpdated": "2026-06-03T19:05:26.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41569 (GCVE-0-2026-41569)

    Vulnerability from nvd – Published: 2026-06-02 20:30 – Updated: 2026-06-03 14:29
    VLAI
    Title
    authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints
    Summary
    authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41569",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T14:28:31.094643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T14:29:52.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim\u0027s browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:21.664Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3"
            }
          ],
          "source": {
            "advisory": "GHSA-995q-72cw-cfw3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41569",
        "datePublished": "2026-06-02T20:30:21.664Z",
        "dateReserved": "2026-04-21T14:15:21.957Z",
        "dateUpdated": "2026-06-03T14:29:52.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41577 (GCVE-0-2026-41577)

    Vulnerability from nvd – Published: 2026-06-02 17:12 – Updated: 2026-06-03 13:18
    VLAI
    Title
    authentik: SAML source does not validate Conditions, timing, or audience on assertions
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41577",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:18:07.296261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T13:18:23.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T17:12:26.690Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2"
            }
          ],
          "source": {
            "advisory": "GHSA-4v4x-x5pr-8gp2",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SAML source does not validate Conditions, timing, or audience on assertions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41577",
        "datePublished": "2026-06-02T17:12:26.690Z",
        "dateReserved": "2026-04-21T14:15:21.958Z",
        "dateUpdated": "2026-06-03T13:18:23.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40172 (GCVE-0-2026-40172)

    Vulnerability from nvd – Published: 2026-05-22 19:00 – Updated: 2026-05-22 19:15
    VLAI
    Title
    authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser
    Summary
    authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T19:14:39.079892Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T19:15:18.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T19:00:52.278Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-h6x7-hjjc-wjc9",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40172",
        "datePublished": "2026-05-22T19:00:52.278Z",
        "dateReserved": "2026-04-09T19:31:56.015Z",
        "dateUpdated": "2026-05-22T19:15:18.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40166 (GCVE-0-2026-40166)

    Vulnerability from nvd – Published: 2026-05-22 18:52 – Updated: 2026-05-26 18:47
    VLAI
    Title
    authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
    Summary
    authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T18:47:45.180359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T18:47:57.418Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T18:52:46.650Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-hhpc-rqgm-pxj4",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40166",
        "datePublished": "2026-05-22T18:52:46.650Z",
        "dateReserved": "2026-04-09T19:31:56.014Z",
        "dateUpdated": "2026-05-26T18:47:57.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40165 (GCVE-0-2026-40165)

    Vulnerability from nvd – Published: 2026-05-20 23:35 – Updated: 2026-05-21 14:13
    VLAI
    Title
    authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
    Summary
    authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40165",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:13:10.961177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:13:20.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T23:35:18.309Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            }
          ],
          "source": {
            "advisory": "GHSA-9wj8-xv4r-qwrp",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40165",
        "datePublished": "2026-05-20T23:35:18.309Z",
        "dateReserved": "2026-04-09T19:31:56.014Z",
        "dateUpdated": "2026-05-21T14:13:20.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25922 (GCVE-0-2026-25922)

    Vulnerability from nvd – Published: 2026-02-12 19:38 – Updated: 2026-02-17 16:19
    VLAI
    Title
    authentik has a Signature Verification Bypass via SAML Assertion Wrapping
    Summary
    authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.8.6
    Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25922",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:19:07.903041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T16:19:14.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:38:16.850Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jh35-c4cc-wjm4",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has a Signature Verification Bypass via SAML Assertion Wrapping"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25922",
        "datePublished": "2026-02-12T19:38:16.850Z",
        "dateReserved": "2026-02-09T16:22:17.785Z",
        "dateUpdated": "2026-02-17T16:19:14.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25748 (GCVE-0-2026-25748)

    Vulnerability from nvd – Published: 2026-02-12 19:36 – Updated: 2026-02-17 15:53
    VLAI
    Title
    authentik has a forward authentication bypass with broken cookie
    Summary
    authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:52:54.989237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:53:01.301Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:36:45.631Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            }
          ],
          "source": {
            "advisory": "GHSA-fj56-5763-j8pp",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has a forward authentication bypass with broken cookie"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25748",
        "datePublished": "2026-02-12T19:36:45.631Z",
        "dateReserved": "2026-02-05T18:35:52.356Z",
        "dateUpdated": "2026-02-17T15:53:01.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25227 (GCVE-0-2026-25227)

    Vulnerability from nvd – Published: 2026-02-12 19:25 – Updated: 2026-02-17 15:43
    VLAI
    Title
    authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint
    Summary
    authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: >= 2021.3.1, < 2025.8.6
    Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:43:40.444205Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:43:53.801Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2021.3.1, \u003c 2025.8.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:25:26.932Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"
            }
          ],
          "source": {
            "advisory": "GHSA-qvxx-mfm6-626f",
            "discovery": "UNKNOWN"
          },
          "title": "authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25227",
        "datePublished": "2026-02-12T19:25:26.932Z",
        "dateReserved": "2026-01-30T14:44:47.327Z",
        "dateUpdated": "2026-02-17T15:43:53.801Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64708 (GCVE-0-2025-64708)

    Vulnerability from nvd – Published: 2025-11-19 17:03 – Updated: 2025-11-20 15:48
    VLAI
    Title
    authentik invitation expiry is delayed by at least 5 minutes
    Summary
    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.10.2
    Affected: < 2025.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64708",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-20T15:48:16.353693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-20T15:48:29.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T17:03:22.858Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830"
            }
          ],
          "source": {
            "advisory": "GHSA-ch7q-53v8-73pc",
            "discovery": "UNKNOWN"
          },
          "title": "authentik invitation expiry is delayed by at least 5 minutes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64708",
        "datePublished": "2025-11-19T17:03:22.858Z",
        "dateReserved": "2025-11-10T14:07:42.921Z",
        "dateUpdated": "2025-11-20T15:48:29.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64521 (GCVE-0-2025-64521)

    Vulnerability from nvd – Published: 2025-11-19 17:03 – Updated: 2025-11-19 21:09
    VLAI
    Title
    authentik deactivated service accounts can authenticate to OAuth
    Summary
    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.10.2
    Affected: < 2025.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64521",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T21:09:31.811847Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T21:09:40.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T17:03:19.703Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c"
            }
          ],
          "source": {
            "advisory": "GHSA-xr73-jq5p-ch8r",
            "discovery": "UNKNOWN"
          },
          "title": "authentik deactivated service accounts can authenticate to OAuth"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64521",
        "datePublished": "2025-11-19T17:03:19.703Z",
        "dateReserved": "2025-11-05T21:15:39.400Z",
        "dateUpdated": "2025-11-19T21:09:40.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53942 (GCVE-0-2025-53942)

    Vulnerability from nvd – Published: 2025-07-23 20:35 – Updated: 2025-07-23 20:49
    VLAI
    Title
    authentik has an insufficient check for account active status during OAuth/SAML authentication
    Summary
    authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: <= 2025.4.3, < 2025.4.4
    Affected: >= 2025.6.0-rc1, < 2025.6.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-23T20:49:20.375492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-23T20:49:29.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 2025.4.3, \u003c 2025.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.6.0-rc1, \u003c 2025.6.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-23T20:35:07.243Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab"
            }
          ],
          "source": {
            "advisory": "GHSA-9g4j-v8w5-7x42",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has an insufficient check for account active status during OAuth/SAML authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-53942",
        "datePublished": "2025-07-23T20:35:07.243Z",
        "dateReserved": "2025-07-14T17:23:35.262Z",
        "dateUpdated": "2025-07-23T20:49:29.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-49448 (GCVE-0-2026-49448)

    Vulnerability from cvelistv5 – Published: 2026-06-02 20:31 – Updated: 2026-06-03 12:46
    VLAI
    Title
    authentik: SourceStage bypass via empty POST
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.6
    Affected: < 2026.2.4
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49448",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T12:46:21.867335Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T12:46:25.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:31:20.323Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8"
            }
          ],
          "source": {
            "advisory": "GHSA-xp7f-xjjx-gwm8",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SourceStage bypass via empty POST"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49448",
        "datePublished": "2026-06-02T20:31:20.323Z",
        "dateReserved": "2026-05-30T02:43:33.106Z",
        "dateUpdated": "2026-06-03T12:46:25.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49443 (GCVE-0-2026-49443)

    Vulnerability from cvelistv5 – Published: 2026-06-02 20:31 – Updated: 2026-06-03 13:59
    VLAI
    Title
    authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.6
    Affected: < 2026.2.4
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49443",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:59:05.016537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T13:59:41.215Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.6"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:31:09.108Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr"
            }
          ],
          "source": {
            "advisory": "GHSA-wr38-7xg8-fqxr",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49443",
        "datePublished": "2026-06-02T20:31:09.108Z",
        "dateReserved": "2026-05-30T02:43:33.106Z",
        "dateUpdated": "2026-06-03T13:59:41.215Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47201 (GCVE-0-2026-47201)

    Vulnerability from cvelistv5 – Published: 2026-06-02 20:30 – Updated: 2026-06-03 14:08
    VLAI
    Title
    authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Affected: < 2026.5.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47201",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:56:09.745826Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T14:08:11.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.5.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik\u0027s SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:55.674Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3"
            }
          ],
          "source": {
            "advisory": "GHSA-c3m2-jqmq-pvp3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-47201",
        "datePublished": "2026-06-02T20:30:55.674Z",
        "dateReserved": "2026-05-18T22:07:37.436Z",
        "dateUpdated": "2026-06-03T14:08:11.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42849 (GCVE-0-2026-42849)

    Vulnerability from cvelistv5 – Published: 2026-06-02 20:30 – Updated: 2026-06-03 19:05
    VLAI
    Title
    authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T19:04:51.712238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T19:05:26.760Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:43.839Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3"
            }
          ],
          "source": {
            "advisory": "GHSA-pgff-5mx8-fqj3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42849",
        "datePublished": "2026-06-02T20:30:43.839Z",
        "dateReserved": "2026-04-30T16:44:48.378Z",
        "dateUpdated": "2026-06-03T19:05:26.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41569 (GCVE-0-2026-41569)

    Vulnerability from cvelistv5 – Published: 2026-06-02 20:30 – Updated: 2026-06-03 14:29
    VLAI
    Title
    authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints
    Summary
    authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41569",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T14:28:31.094643Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T14:29:52.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim\u0027s browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T20:30:21.664Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3"
            }
          ],
          "source": {
            "advisory": "GHSA-995q-72cw-cfw3",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41569",
        "datePublished": "2026-06-02T20:30:21.664Z",
        "dateReserved": "2026-04-21T14:15:21.957Z",
        "dateUpdated": "2026-06-03T14:29:52.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41577 (GCVE-0-2026-41577)

    Vulnerability from cvelistv5 – Published: 2026-06-02 17:12 – Updated: 2026-06-03 13:18
    VLAI
    Title
    authentik: SAML source does not validate Conditions, timing, or audience on assertions
    Summary
    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41577",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T13:18:07.296261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T13:18:23.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T17:12:26.690Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2"
            }
          ],
          "source": {
            "advisory": "GHSA-4v4x-x5pr-8gp2",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SAML source does not validate Conditions, timing, or audience on assertions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41577",
        "datePublished": "2026-06-02T17:12:26.690Z",
        "dateReserved": "2026-04-21T14:15:21.958Z",
        "dateUpdated": "2026-06-03T13:18:23.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40172 (GCVE-0-2026-40172)

    Vulnerability from cvelistv5 – Published: 2026-05-22 19:00 – Updated: 2026-05-22 19:15
    VLAI
    Title
    authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser
    Summary
    authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T19:14:39.079892Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T19:15:18.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T19:00:52.278Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-h6x7-hjjc-wjc9",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40172",
        "datePublished": "2026-05-22T19:00:52.278Z",
        "dateReserved": "2026-04-09T19:31:56.015Z",
        "dateUpdated": "2026-05-22T19:15:18.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40166 (GCVE-0-2026-40166)

    Vulnerability from cvelistv5 – Published: 2026-05-22 18:52 – Updated: 2026-05-26 18:47
    VLAI
    Title
    authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
    Summary
    authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-26T18:47:45.180359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-26T18:47:57.418Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T18:52:46.650Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3"
            }
          ],
          "source": {
            "advisory": "GHSA-hhpc-rqgm-pxj4",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40166",
        "datePublished": "2026-05-22T18:52:46.650Z",
        "dateReserved": "2026-04-09T19:31:56.014Z",
        "dateUpdated": "2026-05-26T18:47:57.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40165 (GCVE-0-2026-40165)

    Vulnerability from cvelistv5 – Published: 2026-05-20 23:35 – Updated: 2026-05-21 14:13
    VLAI
    Title
    authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
    Summary
    authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.12.5
    Affected: >= 2026.2.0-rc1, < 2026.2.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40165",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:13:10.961177Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:13:20.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.12.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T23:35:18.309Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
            }
          ],
          "source": {
            "advisory": "GHSA-9wj8-xv4r-qwrp",
            "discovery": "UNKNOWN"
          },
          "title": "authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40165",
        "datePublished": "2026-05-20T23:35:18.309Z",
        "dateReserved": "2026-04-09T19:31:56.014Z",
        "dateUpdated": "2026-05-21T14:13:20.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25922 (GCVE-0-2026-25922)

    Vulnerability from cvelistv5 – Published: 2026-02-12 19:38 – Updated: 2026-02-17 16:19
    VLAI
    Title
    authentik has a Signature Verification Bypass via SAML Assertion Wrapping
    Summary
    authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.8.6
    Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25922",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T16:19:07.903041Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T16:19:14.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:38:16.850Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jh35-c4cc-wjm4",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has a Signature Verification Bypass via SAML Assertion Wrapping"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25922",
        "datePublished": "2026-02-12T19:38:16.850Z",
        "dateReserved": "2026-02-09T16:22:17.785Z",
        "dateUpdated": "2026-02-17T16:19:14.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25748 (GCVE-0-2026-25748)

    Vulnerability from cvelistv5 – Published: 2026-02-12 19:36 – Updated: 2026-02-17 15:53
    VLAI
    Title
    authentik has a forward authentication bypass with broken cookie
    Summary
    authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:52:54.989237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:53:01.301Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:36:45.631Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            }
          ],
          "source": {
            "advisory": "GHSA-fj56-5763-j8pp",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has a forward authentication bypass with broken cookie"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25748",
        "datePublished": "2026-02-12T19:36:45.631Z",
        "dateReserved": "2026-02-05T18:35:52.356Z",
        "dateUpdated": "2026-02-17T15:53:01.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25227 (GCVE-0-2026-25227)

    Vulnerability from cvelistv5 – Published: 2026-02-12 19:25 – Updated: 2026-02-17 15:43
    VLAI
    Title
    authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint
    Summary
    authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: >= 2021.3.1, < 2025.8.6
    Affected: >= 2025.10.0-rc1, < 2025.10.4
    Affected: >= 2025.10.0-rc1, < 2025.12.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25227",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:43:40.444205Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:43:53.801Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2021.3.1, \u003c 2025.8.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.10.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.10.0-rc1, \u003c 2025.12.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T19:25:26.932Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"
            },
            {
              "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"
            }
          ],
          "source": {
            "advisory": "GHSA-qvxx-mfm6-626f",
            "discovery": "UNKNOWN"
          },
          "title": "authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25227",
        "datePublished": "2026-02-12T19:25:26.932Z",
        "dateReserved": "2026-01-30T14:44:47.327Z",
        "dateUpdated": "2026-02-17T15:43:53.801Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64708 (GCVE-0-2025-64708)

    Vulnerability from cvelistv5 – Published: 2025-11-19 17:03 – Updated: 2025-11-20 15:48
    VLAI
    Title
    authentik invitation expiry is delayed by at least 5 minutes
    Summary
    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.10.2
    Affected: < 2025.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64708",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-20T15:48:16.353693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-20T15:48:29.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613: Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T17:03:22.858Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830"
            }
          ],
          "source": {
            "advisory": "GHSA-ch7q-53v8-73pc",
            "discovery": "UNKNOWN"
          },
          "title": "authentik invitation expiry is delayed by at least 5 minutes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64708",
        "datePublished": "2025-11-19T17:03:22.858Z",
        "dateReserved": "2025-11-10T14:07:42.921Z",
        "dateUpdated": "2025-11-20T15:48:29.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64521 (GCVE-0-2025-64521)

    Vulnerability from cvelistv5 – Published: 2025-11-19 17:03 – Updated: 2025-11-19 21:09
    VLAI
    Title
    authentik deactivated service accounts can authenticate to OAuth
    Summary
    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    References
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: < 2025.10.2
    Affected: < 2025.8.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64521",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T21:09:31.811847Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T21:09:40.560Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2025.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2025.8.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "CWE-289: Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T17:03:19.703Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c"
            }
          ],
          "source": {
            "advisory": "GHSA-xr73-jq5p-ch8r",
            "discovery": "UNKNOWN"
          },
          "title": "authentik deactivated service accounts can authenticate to OAuth"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64521",
        "datePublished": "2025-11-19T17:03:19.703Z",
        "dateReserved": "2025-11-05T21:15:39.400Z",
        "dateUpdated": "2025-11-19T21:09:40.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53942 (GCVE-0-2025-53942)

    Vulnerability from cvelistv5 – Published: 2025-07-23 20:35 – Updated: 2025-07-23 20:49
    VLAI
    Title
    authentik has an insufficient check for account active status during OAuth/SAML authentication
    Summary
    authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    goauthentik authentik Affected: <= 2025.4.3, < 2025.4.4
    Affected: >= 2025.6.0-rc1, < 2025.6.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-23T20:49:20.375492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-23T20:49:29.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authentik",
              "vendor": "goauthentik",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 2025.4.3, \u003c 2025.4.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2025.6.0-rc1, \u003c 2025.6.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-23T20:35:07.243Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f"
            },
            {
              "name": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab"
            }
          ],
          "source": {
            "advisory": "GHSA-9g4j-v8w5-7x42",
            "discovery": "UNKNOWN"
          },
          "title": "authentik has an insufficient check for account active status during OAuth/SAML authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-53942",
        "datePublished": "2025-07-23T20:35:07.243Z",
        "dateReserved": "2025-07-14T17:23:35.262Z",
        "dateUpdated": "2025-07-23T20:49:29.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }