Improper access control in authentik - CVE-2026-55106

 

Improper access control in authentik - CVE-2026-55106

Published: July 17, 2026


Vulnerability identifier: #VU138383
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-55106
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the LDAP Source debug API endpoint when handling diagnostic action requests. A remote attacker can send a crafted request to disclose sensitive information.

Only deployments with one or more LDAP Sources configured are vulnerable. The exposed data is limited to distinguished names of directory entries and the names of attributes present on them, but not attribute values.


How to mitigate CVE-2026-55106

Install security update from vendor's website.

Sources