Skip to main content

authentik CVE-2026-40172

HIGH
Improper Privilege Management (CWE-269)
2026-05-22 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 19:30 vuln.today
Analysis Generated
May 22, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.

AnalysisAI

Privilege escalation in authentik identity provider versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2 allows an authenticated user holding the change_user permission to assign arbitrary groups - including superuser groups - to any target user via the PATCH /api/v3/core/users/{pk}/ endpoint. The UserSerializer skips the enable_group_superuser check enforced in the dedicated group-management paths, letting delegated user-management roles promote themselves or others to administrator-equivalent privilege. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the trivial attack mechanics (a single PATCH request) make weaponization straightforward for any tenant that has delegated user administration.

Technical ContextAI

authentik is a widely deployed open-source identity and access management platform (CPE cpe:2.3:a:goauthentik:authentik) that exposes a Django REST Framework API for user and group administration. The root cause is CWE-269 Improper Privilege Management: the UserSerializer used by the user PATCH endpoint accepts a 'groups' field and writes it directly to the relation without re-validating whether the calling principal is permitted to confer the privileges granted by those groups. authentik already enforces a stricter check - enable_group_superuser - on the group-management code path to prevent delegated group editors from creating or modifying superuser groups, but that gate was never mirrored on the user-update path, so the same restricted role can simply attach an existing superuser group to a target user as an indirect route to the same outcome.

RemediationAI

Vendor-released patch: upgrade to authentik 2025.12.5 on the stable branch or 2026.2.3 on the 2026.2 release line, per the vendor advisory GHSA-h6x7-hjjc-wjc9 and the release notes at https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5 and https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3. Until the upgrade is rolled out, audit and revoke any custom roles or RBAC bindings that grant authentik_core.change_user or group-modification permissions to non-administrator principals, since the vulnerability is only reachable by accounts already holding one of those delegations; the trade-off is that legitimate help-desk or onboarding workflows that depend on those permissions will be temporarily blocked. Additionally, review the membership of any group whose is_superuser flag is true and constrain network access to the /api/v3/core/users/ endpoint via reverse-proxy ACLs where feasible, accepting that this will also restrict the legitimate admin UI which uses the same API.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

Share

CVE-2026-40172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy