Missing Authorization in authentik - #VU138386
Published: July 17, 2026
authentik
Detailed vulnerability description
The vulnerability allows a remote user to modify or disable security event streams, delete streams, and cause a denial of service.
The vulnerability exists due to missing authorization in Shared Signals Framework stream management operations when handling requests for existing streams. A remote user can send requests to read, change, disable, or delete an application's event streams to modify or disable security event streams, delete streams, and cause a denial of service.
This affects only Enterprise deployments that use the Shared Signals Framework, where a provider is linked to an application as its backchannel provider and that application also issues access tokens to its users. On 2026.2, only stream deletion is reachable, while on 2026.5 the read, update, verify, and status operations are reachable.