Improper access control in authentik - CVE-2026-54730
Published: July 17, 2026
authentik
Detailed vulnerability description
The vulnerability allows a remote user to bypass device-trust verification and authenticate from an unverified device.
The vulnerability exists due to improper access control in the Google Chrome device-trust stages when advancing the authentication flow. A remote user can submit the stage without completing device attestation to bypass device-trust verification and authenticate from an unverified device.
Exploitation requires access to an authentication flow that uses either an Endpoint stage backed by a Google Chrome connector set to required mode or the deprecated Google Chrome Device Trust Connector stage. Other authentication factors, if configured, remain in force.