Main Vulnerability Database Vulnerabilities #VU132752

Incorrect authorization in authentik - #VU132752

Published: May 29, 2026

Vulnerability identifier: #VU132752

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Authentik Security Inc

Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper access control in SourceStageView.dispatch() and ChallengeStageView.post() when handling an empty POST request while the Source stage is active. A remote attacker can send an empty POST request to bypass authentication.

Exploitation is possible when a Source stage is bound to a flow, the source exposes a ui_login_button, and the attacker can reach the Source stage.

Remediation

Install security update from vendor's website.

Sources

https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8

Incorrect authorization in authentik - #VU132752

Detailed vulnerability description

Remediation

Sources

Please verify you're human