SB20260717100 - Multiple vulnerabilities in authentik



SB20260717100 - Multiple vulnerabilities in authentik

Published: July 17, 2026

Security Bulletin ID SB20260717100
CSH Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 40% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Interpretation Conflict (CVE-ID: CVE-2026-57580)

CWE-ID: CWE-436 - Interpretation Conflict

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to authenticate as another user.

The vulnerability exists due to interpretation conflict in SAML NameID processing when handling a validly signed assertion containing an XML comment in the NameID. A remote attacker can insert an XML comment into a crafted NameID to authenticate as another user.

Only inbound SAML Sources configured with the non-default username or email user-matching mode are affected. Exploitation requires that the attacker has an account on the source IdP and can set their own NameID. The resulting account link persists for subsequent logins.


2) Improper access control (CVE-ID: CVE-2026-55106)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the LDAP Source debug API endpoint when handling diagnostic action requests. A remote attacker can send a crafted request to disclose sensitive information.

Only deployments with one or more LDAP Sources configured are vulnerable. The exposed data is limited to distinguished names of directory entries and the names of attributes present on them, but not attribute values.


3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-61574)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the RAC endpoint list endpoint when handling requests for configured endpoints. A remote user can request the endpoint list to disclose sensitive information.

Only deployments using the enterprise Remote Access Control provider are affected, and credential exposure occurs when connection credentials are stored for endpoints.


4) Improper access control (CVE-ID: CVE-2026-54730)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass device-trust verification and authenticate from an unverified device.

The vulnerability exists due to improper access control in the Google Chrome device-trust stages when advancing the authentication flow. A remote user can submit the stage without completing device attestation to bypass device-trust verification and authenticate from an unverified device.

Exploitation requires access to an authentication flow that uses either an Endpoint stage backed by a Google Chrome connector set to required mode or the deprecated Google Chrome Device Trust Connector stage. Other authentication factors, if configured, remain in force.


5) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify or disable security event streams, delete streams, and cause a denial of service.

The vulnerability exists due to missing authorization in Shared Signals Framework stream management operations when handling requests for existing streams. A remote user can send requests to read, change, disable, or delete an application's event streams to modify or disable security event streams, delete streams, and cause a denial of service.

This affects only Enterprise deployments that use the Shared Signals Framework, where a provider is linked to an application as its backchannel provider and that application also issues access tokens to its users. On 2026.2, only stream deletion is reachable, while on 2026.5 the read, update, verify, and status operations are reachable.


Remediation

Install update from vendor's website.