Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
AnalysisAI
Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to execute arbitrary JavaScript in a victim's browser by abusing the AutosubmitStage within the Simple Flow Executor (SFE). With a CVSS of 9.3 reflecting scope change and high impact to confidentiality/integrity, exploitation enables session hijacking against an identity provider, but no public exploit identified at time of analysis.
Technical ContextAI
authentik is an open-source identity and access management (IdP) platform developed by goauthentik, used as an SSO/federation broker (SAML, OIDC, LDAP). The vulnerability resides in the Simple Flow Executor (SFE), a fallback flow-rendering interface designed for legacy browsers that cannot run the modern Web Component-based UI. Specifically, the AutosubmitStage - a stage that auto-submits HTML form data (typically for SAML POST bindings or external redirects) - failed to properly encode/escape user-controllable values before injecting them into the rendered HTML, matching CWE-79 (Improper Neutralization of Input During Web Page Generation). Because the SFE renders inside the IdP's trusted origin during authentication flows, script execution occurs in a security-sensitive context.
RemediationAI
Vendor-released patch: upgrade authentik to 2025.12.5 (for the 2025.12.x branch) or 2026.2.3 (for the 2026.2.x branch) as documented in advisory GHSA-pgff-5mx8-fqj3 at https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3. If immediate patching is not possible, disable the Simple Flow Executor fallback so flows render only via the modern Web Component UI - note this will break authentication for genuinely legacy browsers (IE-era / non-ES6 clients) and any embedded WebViews that rely on the SFE path. As additional compensating controls, enforce a strict Content-Security-Policy on the authentik web frontend (script-src 'self' without 'unsafe-inline') which can blunt arbitrary script execution at the cost of breaking custom branding/scripts, and restrict admin-interface network exposure via IP allowlisting on the reverse proxy so a phished admin session cannot be reached externally.
authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th
authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),
Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote
authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi
Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions
authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi
Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr
authentik is an open-source identity provider. [CVSS 8.8 HIGH]
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34026