Insufficient verification of data authenticity in authentik - CVE-2026-41577
Published: May 12, 2026
Vulnerability identifier: #VU131251
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41577
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik
authentik
Detailed vulnerability description
The vulnerability allows a remote user to replay expired SAML assertions and authenticate with assertions intended for other service providers.
The vulnerability exists due to insufficient verification of data authenticity in ResponseProcessor.parse() when processing SAML assertions. A remote user can submit a previously valid SAML assertion to replay expired assertions and authenticate with assertions intended for other service providers.
The Conditions element is not validated, and the NotBefore, NotOnOrAfter, and AudienceRestriction fields are ignored.
How to mitigate CVE-2026-41577
Install security update from vendor's website.