SB2026052928 - Multiple vulnerabilities in authentik



SB2026052928 - Multiple vulnerabilities in authentik

Published: May 29, 2026

Security Bulletin ID SB2026052928
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Incorrect authorization (CVE-ID: CVE-2026-49448)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper access control in SourceStageView.dispatch() and ChallengeStageView.post() when handling an empty POST request while the Source stage is active. A remote attacker can send an empty POST request to bypass authentication.

Exploitation is possible when a Source stage is bound to a flow, the source exposes a ui_login_button, and the attacker can reach the Source stage.


2) Improper access control (CVE-ID: CVE-2026-49443)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to authenticate as another user and gain that user's privileges.

The vulnerability exists due to improper access control in UserSourceConnectionSerializer and GroupSourceConnectionSerializer when handling API requests that modify source connection objects. A remote user can modify the user or group fields in a source connection to authenticate as a victim account and gain that user's privileges.

Exploitation requires the ability to change a source connection object and access to an account in one of the configured sources.


3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-47201)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to authenticate as another federated user.

The vulnerability exists due to xml signature wrapping in SAML Source ACS endpoint when validating upstream SAML responses. A remote user can submit a crafted SAML response containing a forged assertion while reusing a valid signed assertion to authenticate as another federated user.

The issue affects deployments using a SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions.


Remediation

Install update from vendor's website.