What is the CVSS score of CVE-2026-40165?

CVE-2026-40165 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of authentik are affected by CVE-2026-40165?

authentik identity provider versions 2025.12.4 and earlier contain a high-severity authentication bypass (CVE-2026-40165) allowing federated SAML users to impersonate arbitrary accounts.

authentik CVE-2026-40165

HIGH

XML Injection (aka Blind XPath Injection) (CWE-91)

2026-05-21 security-advisories@github.com

Authentication Bypass

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 00:28 vuln.today

Analysis Generated

May 21, 2026 - 00:28 vuln.today

DescriptionNVD

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

AnalysisAI

Authentication bypass in authentik identity provider allows attackers with an account on a federated SAML Source to impersonate arbitrary users by injecting an XML comment into the NameID value of a signed SAML assertion. Affected versions are 2025.12.4 and prior, plus 2026.2.0-rc1 through 2026.2.2; the GitHub Security Advisory GHSA-9wj8-xv4r-qwrp confirms the issue with a CVSS 8.7 (High) score, and no public exploit is identified at time of analysis though the upstream commit and a regression test demonstrate the truncation behavior.

RemediationAI

Within 24 hours: Identify all authentik deployments and confirm installed versions; assess systems dependent on SAML federation. Within 7 days: Disable federated SAML authentication if operationally feasible, implement enhanced authentication event logging and alerting, restrict SAML account provisioning to minimum required users, and inventory all federated identities. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40165 vulnerability details – vuln.today

Back

authentik CVE-2026-40165

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code