Critical severity9.8NVD Advisory· Published Jun 2, 2026

CVE-2026-49448

Description

authentik's Source stage can be bypassed by an empty POST request, allowing attackers to skip authentication and proceed to the next stage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

authentik's Source stage can be bypassed by an empty POST request, allowing attackers to skip authentication and proceed to the next stage.

Vulnerability

The Source stage in authentik, an open-source identity provider, is vulnerable to bypass when an empty POST request is sent. This allows an attacker to proceed to the next stage of a flow without proper authentication. This issue affects versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 [1].

Exploitation

An attacker can exploit this vulnerability by sending an empty POST request to the flow executor URL when the Source stage is active. Normally, this stage would redirect the user to an external IdP for authentication. However, by sending an empty POST, the flow executor bypasses the intended authentication process and advances to the next stage [1].

Impact

Successful exploitation of this vulnerability allows an attacker to bypass the Source stage of an authentik flow. This can lead to unauthorized progression through authentication flows, potentially resulting in the attacker gaining access to subsequent stages or resources without completing the required authentication steps [1].

Mitigation

This vulnerability has been patched in authentik versions 2025.12.6, 2026.2.4, and 2026.5.1. Users are advised to upgrade to one of these fixed versions to mitigate the risk [1].

References

SourceStage bypass via empty POST

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

authentik/authentikllm-fuzzy
Range: before 2025.12.6, 2026.2.4, and 2026.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The Source stage incorrectly advances the flow when an empty POST request is received."

Attack vector

An attacker can bypass the Source stage by sending an empty POST request to the flow executor URL. This bypass occurs when the flow executor receives a POST request while the SourceStage is current. Instead of validating a restore token, the system falls through to a default Django view dispatch, which then incorrectly validates an empty challenge response and advances the flow to the next stage, effectively skipping authentication at the source [ref_id=1].

Affected code

The vulnerability lies within the SourceStage's handling of POST requests when no restore token is present. Specifically, the `SourceStageView.dispatch()` method falls through to `super().dispatch()`, which eventually leads to `ChallengeResponse(data={}).is_valid()` returning true, allowing the flow to advance incorrectly [ref_id=1].

What the fix does

The patch ensures that an empty POST request to the Source stage does not result in advancing the flow. The advisory states that the issue is resolved in versions 2025.12.6, 2026.2.4, and 2026.5.1, implying that the logic handling POST requests within the Source stage has been corrected to properly validate incoming data and prevent unauthorized progression [ref_id=1].

Preconditions

configA flow must have the Source stage bound to it.
inputThe attacker must be able to send an empty POST request to the flow executor.

Reproduction

def test_source_post_bypass(self): """CWE-863: empty POST to SourceStage must NOT advance the flow. With the vulnerability present this test FAILS at the final assertion because the client is logged in as `user` without ever touching the IdP.""" user = create_test_user() flow = create_test_flow(FlowDesignation.AUTHENTICATION) FlowStageBinding.objects.create( target=flow, stage=IdentificationStage.objects.create( name=generate_id(), user_fields=[UserFields.USERNAME], ), order=0, ) FlowStageBinding.objects.create( target=flow, stage=SourceStage.objects.create(name=generate_id(), source=self.source), order=5, ) FlowStageBinding.objects.create( target=flow, stage=UserLoginStage.objects.create(name=generate_id()), order=10, ) exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})

# 1) Start flow → identification challenge response = self.client.get(exec_url) self.assertStageResponse(response, flow, component="ak-stage-identification")

# 2) Submit username only (Identification does not verify credentials) response = self.client.post(exec_url, data={"uid_field": user.username}, follow=True) self.assertEqual(response.status_code, 200) # Now positioned on SourceStage; legitimate path would redirect to SAML IdP.

# 3) BYPASS: POST empty body instead of authenticating at the IdP response = self.client.post(exec_url, data={}, follow=True) self.assertEqual(response.status_code, 200)

# Vulnerable behaviour: SourceStage returned stage_ok(), UserLoginStage ran, # and we are now authenticated as `user` with zero credentials presented. # A secure implementation would leave us unauthenticated here. self.assertFalse( self.client.session.get("_auth_user_id"), "SourceStage was bypassed: session authenticated without IdP interaction", ) [ref_id=1]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000