Authentik Identity Provider: Six Vulnerabilities Disclosed Together
Key findings • Six vulnerabilities in authentik disclosed on June 2, 2026, including two critical and three high-severity flaws. • Critical flaws include an authentication bypass via empty PO…
Key findings
- Six vulnerabilities in authentik disclosed on June 2, 2026, including two critical and three high-severity flaws.
- Critical flaws include an authentication bypass via empty POST and an XSS exploit in the AutosubmitStage.
- High-severity issues involve account takeover through source connection manipulation and SAML/WS-Federation vulnerabilities.
- Patches are available in various versions including 2025.12.x, 2026.2.x, and 2026.5.x.
- The vulnerabilities affect authentication, SAML, and WS-Federation processing within the identity provider.
On June 2, 2026, a cluster of six security vulnerabilities affecting the open-source authentik identity provider was disclosed, spanning critical, high, and medium severity ratings. The disclosures, all occurring within a one-hour window, highlight potential weaknesses in authentication flows and SAML/WS-Federation handling within the platform.
Two critical vulnerabilities were detailed, including CVE-2026-49448 (CVSS 9.8), which allows for a bypass of the Source stage by sending an empty POST request. This bypass could potentially lead to unauthorized access or manipulation of identity provider configurations. The second critical flaw, CVE-2026-42849 (CVSS 9.3), stems from an XSS exploit within the AutosubmitStage, facilitated by legacy browser compatibility measures in the Simple Flow Executor (SFE).
Several high-severity vulnerabilities were also part of this disclosure. CVE-2026-49443 (CVSS 8.8) describes a scenario where an attacker with the ability to modify a source connection and an account in a configured source can log into any account within the system. Additionally, CVE-2026-47201 (CVSS 8.5) points to a vulnerability in the SAML Source ACS endpoint, susceptible to XML Signature Wrapping attacks, allowing an attacker with an upstream IdP account to authenticate as any user. Another high-severity issue, CVE-2026-41577 (CVSS 7.5), involves the SAML source response processor failing to validate the Conditions element on assertions, enabling the replay of expired assertions.
A medium-severity vulnerability, CVE-2026-41569 (CVSS 6.1), was also disclosed. This flaw affects the WS-Federation provider, which validates the user-supplied 'wreply' parameter using a simple prefix check instead of proper URL parsing. This could allow an attacker to craft a login link and supply a 'wreply' value on a different origin that bypasses the intended security checks.
Patches for these vulnerabilities have been released by the authentik team. Specific versions addressed include 2025.12.6, 2026.2.4, and 2026.5.1 for CVE-2026-49448 and CVE-2026-49443. For CVE-2026-47201, CVE-2026-42849, and CVE-2026-41577, versions 2025.12.5 and 2026.2.3 are noted as patched, with 2026.5.1 also mentioned for CVE-2026-47201. CVE-2026-41569 was patched in version 2026.2.3.
Users of the authentik identity provider are strongly advised to review the specific versioning information for each vulnerability and apply the relevant security updates promptly. The simultaneous disclosure of these issues underscores the importance of maintaining up-to-date security configurations and applying patches as soon as they become available to mitigate potential risks.