Skip to main content

authentik CVE-2026-42849

| EUVDEUVD-2026-34026 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 GitHub_M
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 22:01 EUVD
Analysis Generated
Jun 02, 2026 - 21:21 vuln.today

DescriptionGitHub Advisory

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.

AnalysisAI

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to execute arbitrary JavaScript in a victim's browser by abusing the AutosubmitStage within the Simple Flow Executor (SFE). With a CVSS of 9.3 reflecting scope change and high impact to confidentiality/integrity, exploitation enables session hijacking against an identity provider, but no public exploit identified at time of analysis.

Technical ContextAI

authentik is an open-source identity and access management (IdP) platform developed by goauthentik, used as an SSO/federation broker (SAML, OIDC, LDAP). The vulnerability resides in the Simple Flow Executor (SFE), a fallback flow-rendering interface designed for legacy browsers that cannot run the modern Web Component-based UI. Specifically, the AutosubmitStage - a stage that auto-submits HTML form data (typically for SAML POST bindings or external redirects) - failed to properly encode/escape user-controllable values before injecting them into the rendered HTML, matching CWE-79 (Improper Neutralization of Input During Web Page Generation). Because the SFE renders inside the IdP's trusted origin during authentication flows, script execution occurs in a security-sensitive context.

RemediationAI

Vendor-released patch: upgrade authentik to 2025.12.5 (for the 2025.12.x branch) or 2026.2.3 (for the 2026.2.x branch) as documented in advisory GHSA-pgff-5mx8-fqj3 at https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3. If immediate patching is not possible, disable the Simple Flow Executor fallback so flows render only via the modern Web Component UI - note this will break authentication for genuinely legacy browsers (IE-era / non-ES6 clients) and any embedded WebViews that rely on the SFE path. As additional compensating controls, enforce a strict Content-Security-Policy on the authentik web frontend (script-src 'self' without 'unsafe-inline') which can blunt arbitrary script execution at the cost of breaking custom branding/scripts, and restrict admin-interface network exposure via IP allowlisting on the reverse proxy so a phished admin session cannot be reached externally.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

CVE-2026-25922 HIGH
8.8 Feb 12

authentik is an open-source identity provider. [CVSS 8.8 HIGH]

Share

CVE-2026-42849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy