VYPR
Unrated severityNVD Advisory· Published Feb 12, 2026· Updated Feb 17, 2026

authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint

CVE-2026-25227

Description

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • authentik/authentikllm-fuzzy2 versions
    >=2021.3.1, <2025.8.6 || >=2021.3.1, <2025.10.4 || >=2021.3.1, <2025.12.4+ 1 more
    • (no CPE)range: >=2021.3.1, <2025.8.6 || >=2021.3.1, <2025.10.4 || >=2021.3.1, <2025.12.4
    • (no CPE)range: >= 2021.3.1, < 2025.8.6
  • osv-coords
    Range: >= 2021.3.1, < 2025.8.6

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.