SB20260512112 - Multiple vulnerabilities in authentik
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-42849)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform cross-site scripting and hijack the session.
The vulnerability exists due to cross-site scripting in the AutosubmitStage in the SFE (Simple Flow Executor) when handling malicious input values in OAuth2 provider parameters. A remote attacker can supply a crafted redirect_uri or state value to perform cross-site scripting and hijack the session.
User interaction is required, and exploitation is possible when an OAuth2 provider is configured.
2) Input validation error (CVE-ID: CVE-2026-41569)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive authentication information.
The vulnerability exists due to improper input validation in the WS-Federation provider when processing a user-supplied wreply parameter. A remote attacker can craft a login link with an attacker-controlled wreply value to disclose sensitive authentication information.
Only WS-Federation providers with a prefix-ambiguous Reply URL are affected, and the victim's browser must follow the crafted login link.
3) Input validation error (CVE-ID: CVE-2026-40165)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain access to other user accounts.
The vulnerability exists due to improper input validation in the SAML NameID value extraction logic when processing a SAML assertion. A remote attacker can inject an XML comment into the NameID value to gain access to other user accounts.
Exploitation requires an authentik instance configured with a SAML Source, XML signing enabled, and an attacker-controlled account on the SAML Source that can modify its NameID value.
4) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication and access protected backend resources.
The vulnerability exists due to improper access control in the authentik outpost nginx forward-auth integration when processing a client-controlled X-Original-URI header. A remote attacker can send a specially crafted HTTP request with an injected X-Original-URI header to bypass authentication and access protected backend resources.
Only deployments using authentik's nginx forward-auth integration are affected; Traefik, Caddy, and proxy mode deployments are not affected.
5) Incorrect authorization (CVE-ID: CVE-2026-40166)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /api/v3/oauth2/access_tokens/ endpoint when handling authenticated GET requests for OAuth2 access tokens. A remote user can retrieve an access token object containing a nested provider object with client_secret values to disclose sensitive information.
Exposure is limited to confidential OAuth2 providers the user has previously authenticated against and for which the user has at least one access token.
6) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the OAuth2/OpenID Connect provider configuration handling when processing the first authorization request for a provider with no redirect URIs configured. A remote attacker can send an authorization request with an attacker-controlled redirect_uri to disclose sensitive information.
User interaction is required to complete a legitimate OAuth2 flow after the redirect URI has been poisoned, and the impact extends to relying party applications because authorization codes can be redirected outside the identity provider's security scope.
7) Improper privilege management (CVE-ID: CVE-2026-40172)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper privilege management in UserSerializer and the PATCH /api/v3/core/users/{pk}/ endpoint when processing user update requests that assign groups. A remote user can send a crafted PATCH request to assign a target user to groups with superuser privileges to escalate privileges.
The issue affects callers with change_user permission on a target user and can be used to add themselves or other permitted users to superuser groups without requiring enable_group_superuser.
Remediation
Install update from vendor's website.
References
- https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3
- https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3
- https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp
- https://github.com/goauthentik/authentik/security/advisories/GHSA-5wcc-hf24-rf5h
- https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4
- https://github.com/goauthentik/authentik/security/advisories/GHSA-3wf5-rj6w-7527
- https://github.com/goauthentik/authentik/security/advisories/GHSA-h6x7-hjjc-wjc9