SB20260512114 - Insufficient verification of data authenticity in authentik
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-41577)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to replay expired SAML assertions and authenticate with assertions intended for other service providers.
The vulnerability exists due to insufficient verification of data authenticity in ResponseProcessor.parse() when processing SAML assertions. A remote user can submit a previously valid SAML assertion to replay expired assertions and authenticate with assertions intended for other service providers.
The Conditions element is not validated, and the NotBefore, NotOnOrAfter, and AudienceRestriction fields are ignored.
Remediation
Install update from vendor's website.