Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
AnalysisAI
SAML assertion validation in authentik's ResponseProcessor.parse() completely omits verification of the Conditions element, allowing unauthenticated remote attackers (PR:N per CVSS 4.0 vector) to replay expired SAML assertions or submit assertions originally issued for a different service provider. All authentik deployments prior to versions 2025.12.5 and 2026.2.3 that use SAML sources are affected. This is not listed in CISA KEV and no public exploit has been identified at time of analysis, but the low-complexity, network-accessible attack path against a core authentication primitive makes this a meaningful integrity risk in any SAML-federated deployment.
Technical ContextAI
SAML (Security Assertion Markup Language) assertions carry a <Conditions> element that enforces three critical security constraints: NotBefore and NotOnOrAfter define the assertion validity window to prevent replay of captured sessions, and AudienceRestriction binds an assertion to a specific service provider (SP), preventing cross-SP token confusion. Authentik's ResponseProcessor.parse() in the SAML source handling path ignores all three constraints entirely. CWE-345 (Insufficient Verification of Data Authenticity) precisely describes this root cause: cryptographic signatures on the assertion may still be verified, but the semantic validity constraints that prevent reuse and misdirection are never checked. The CPE cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* confirms all versions across both release branches are affected prior to the respective fixes.
RemediationAI
Upgrade authentik to version 2025.12.5 (for deployments on the 2025.12.x branch) or 2026.2.3 (for deployments on the 2026.2.x branch); these are the vendor-confirmed patched releases per the advisory at https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2. If immediate upgrade is not feasible, the most effective compensating control is to disable all configured SAML sources in the authentik admin interface, redirecting users to OIDC or LDAP federation - this eliminates the vulnerable code path entirely but will disrupt SAML-federated authentication flows until patching is complete. For organizations that cannot disable SAML, restrict network access to the authentik SAML assertion consumer endpoint to only the IP ranges of trusted identity providers; this reduces exposure to external replay but does not protect against insider or IdP-proximate attackers and should be treated as a temporary measure only. No side effects are associated with the upgrade path.
authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th
authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),
Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote
authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi
Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to
Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions
authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi
Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33987