SB20260423142 - Multiple vulnerabilities in authentik
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-25922)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to authenticate as any existing user.
The vulnerability exists due to improper verification of cryptographic signature in the SAML source assertion processing when handling a SAML response containing a malicious assertion before a signed assertion. A remote user can inject a malicious assertion to authenticate as any existing user.
Exploitation is possible when assertion signature verification is enabled without response signature verification, or when the encryption certificate is not configured.
2) Code Injection (CVE-ID: CVE-2026-25227)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in the policy/property mapping test endpoint when handling test requests for expression policies or property mappings. A remote privileged user can send a specially crafted request to execute arbitrary code.
Exploitation requires delegated permissions that grant the ability to view property mappings or expression policies, and the executed code can access the entire authentik database and environment variables.
3) Improper Authentication (CVE-ID: CVE-2026-25748)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication and gain access to the application.
The vulnerability exists due to improper authentication in the Proxy Provider forward authentication handling when processing a malformed session cookie behind Traefik or Caddy. A remote attacker can send a malformed session cookie to bypass authentication and gain access to the application.
Exploitation depends on the behavior of applications behind the Proxy Provider, particularly whether they require an X-Authentik header to be present.
Remediation
Install update from vendor's website.