SB20260423142 - Multiple vulnerabilities in authentik



SB20260423142 - Multiple vulnerabilities in authentik

Published: April 23, 2026

Security Bulletin ID SB20260423142
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-25922)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to authenticate as any existing user.

The vulnerability exists due to improper verification of cryptographic signature in the SAML source assertion processing when handling a SAML response containing a malicious assertion before a signed assertion. A remote user can inject a malicious assertion to authenticate as any existing user.

Exploitation is possible when assertion signature verification is enabled without response signature verification, or when the encryption certificate is not configured.


2) Code Injection (CVE-ID: CVE-2026-25227)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the policy/property mapping test endpoint when handling test requests for expression policies or property mappings. A remote privileged user can send a specially crafted request to execute arbitrary code.

Exploitation requires delegated permissions that grant the ability to view property mappings or expression policies, and the executed code can access the entire authentik database and environment variables.


3) Improper Authentication (CVE-ID: CVE-2026-25748)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication and gain access to the application.

The vulnerability exists due to improper authentication in the Proxy Provider forward authentication handling when processing a malformed session cookie behind Traefik or Caddy. A remote attacker can send a malformed session cookie to bypass authentication and gain access to the application.

Exploitation depends on the behavior of applications behind the Proxy Provider, particularly whether they require an X-Authentik header to be present.


Remediation

Install update from vendor's website.