SB2026052928 - Multiple vulnerabilities in authentik
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-49448)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper access control in SourceStageView.dispatch() and ChallengeStageView.post() when handling an empty POST request while the Source stage is active. A remote attacker can send an empty POST request to bypass authentication.
Exploitation is possible when a Source stage is bound to a flow, the source exposes a ui_login_button, and the attacker can reach the Source stage.
2) Improper access control (CVE-ID: CVE-2026-49443)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to authenticate as another user and gain that user's privileges.
The vulnerability exists due to improper access control in UserSourceConnectionSerializer and GroupSourceConnectionSerializer when handling API requests that modify source connection objects. A remote user can modify the user or group fields in a source connection to authenticate as a victim account and gain that user's privileges.
Exploitation requires the ability to change a source connection object and access to an account in one of the configured sources.
3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-47201)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to authenticate as another federated user.
The vulnerability exists due to xml signature wrapping in SAML Source ACS endpoint when validating upstream SAML responses. A remote user can submit a crafted SAML response containing a forged assertion while reusing a valid signed assertion to authenticate as another federated user.
The issue affects deployments using a SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions.
Remediation
Install update from vendor's website.