Main Vulnerability Database Vulnerabilities #VU127148

Code Injection in authentik - CVE-2026-25227

Published: April 23, 2026

Vulnerability identifier: #VU127148

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25227

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Authentik Security Inc

Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the policy/property mapping test endpoint when handling test requests for expression policies or property mappings. A remote privileged user can send a specially crafted request to execute arbitrary code.

Exploitation requires delegated permissions that grant the ability to view property mappings or expression policies, and the executed code can access the entire authentik database and environment variables.

How to mitigate CVE-2026-25227

Install security update from vendor's website.

Sources

https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f

Code Injection in authentik - CVE-2026-25227

Detailed vulnerability description

How to mitigate CVE-2026-25227

Sources

Please verify you're human