SB20260512114 - Insufficient verification of data authenticity in authentik



SB20260512114 - Insufficient verification of data authenticity in authentik

Published: May 12, 2026

Security Bulletin ID SB20260512114
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-41577)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to replay expired SAML assertions and authenticate with assertions intended for other service providers.

The vulnerability exists due to insufficient verification of data authenticity in ResponseProcessor.parse() when processing SAML assertions. A remote user can submit a previously valid SAML assertion to replay expired assertions and authenticate with assertions intended for other service providers.

The Conditions element is not validated, and the NotBefore, NotOnOrAfter, and AudienceRestriction fields are ignored.


Remediation

Install update from vendor's website.