Skip to main content

authentik CVE-2026-49443

| EUVDEUVD-2026-34028 HIGH
Improper Authentication (CWE-287)
2026-06-02 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 22:01 EUVD
Analysis Generated
Jun 02, 2026 - 21:20 vuln.today

DescriptionGitHub Advisory

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

AnalysisAI

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-privileged attacker who can modify a source connection and holds an account in one of the configured external sources to log into any account on the system. The flaw (CWE-287) carries a CVSS 8.8 rating with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

authentik is a widely deployed open-source identity provider that federates authentication across external sources (OAuth, SAML, LDAP, etc.) via configurable 'source' objects. The root cause is a CWE-287 Improper Authentication weakness in the source-binding/account-linking logic: when a user with permission to alter a source connection also possesses an identity in that source, authentik fails to correctly bind the federated identity to the originally-intended account, allowing the attacker to assume any local identity. The affected CPE is cpe:2.3:a:goauthentik:authentik covering all versions before the fixed releases on the 2025.12, 2026.2, and 2026.5 branches.

RemediationAI

Vendor-released patch: upgrade to authentik 2025.12.6, 2026.2.4, or 2026.5.1 depending on the deployment branch, per the vendor advisory at https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr. Until patching is complete, restrict the ability to create or modify source connections to a minimal set of trusted, audited administrators by tightening RBAC on source objects, and audit existing federated sources and recently-modified source bindings for unexpected changes - note that revoking source-edit permissions may disrupt delegated IdP administration and federation onboarding workflows. Additionally, review authentik audit logs for anomalous source modifications followed by logins as unrelated users, and consider temporarily disabling non-essential external sources if delegated admins cannot be trusted in the interim.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-25922 HIGH
8.8 Feb 12

authentik is an open-source identity provider. [CVSS 8.8 HIGH]

Share

CVE-2026-49443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy