CVE-2026-49443

Vulnerability

Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the UserSourceConnectionSerializer and GroupSourceConnectionSerializer in authentik did not mark the user and group fields as read-only. This allowed modification of these fields through the API, enabling an attacker to associate a source connection with arbitrary users or groups [1].

Exploitation

An attacker requires the ability to change a source connection (e.g., add|change_usersourceconnection permission) and must have an account within one of the configured sources. The attacker can then modify a UserSourceConnection object to point to an administrative user's account and use their own source identifier. Subsequently, they can log in as the targeted administrative user [1].

Impact

By manipulating the UserSourceConnection.user or GroupSourceConnection.group fields, an attacker can impersonate any user or group. This allows them to authenticate as the victim through the specified source and identifier, gaining unauthorized access and potentially administrative privileges depending on the victim's account scope [1].

Mitigation

This vulnerability has been patched in authentik versions 2025.12.6, 2026.2.4, and 2026.5.1. Users are advised to upgrade to these fixed versions or later. No workarounds are mentioned in the available references [1].