Skip to main content

authentik EUVDEUVD-2026-33987

| CVE-2026-41577 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-02 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 21:02 EUVD
Analysis Generated
Jun 02, 2026 - 20:29 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
6.9 (MEDIUM)

DescriptionGitHub Advisory

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.

AnalysisAI

SAML assertion validation in authentik's ResponseProcessor.parse() completely omits verification of the Conditions element, allowing unauthenticated remote attackers (PR:N per CVSS 4.0 vector) to replay expired SAML assertions or submit assertions originally issued for a different service provider. All authentik deployments prior to versions 2025.12.5 and 2026.2.3 that use SAML sources are affected. This is not listed in CISA KEV and no public exploit has been identified at time of analysis, but the low-complexity, network-accessible attack path against a core authentication primitive makes this a meaningful integrity risk in any SAML-federated deployment.

Technical ContextAI

SAML (Security Assertion Markup Language) assertions carry a <Conditions> element that enforces three critical security constraints: NotBefore and NotOnOrAfter define the assertion validity window to prevent replay of captured sessions, and AudienceRestriction binds an assertion to a specific service provider (SP), preventing cross-SP token confusion. Authentik's ResponseProcessor.parse() in the SAML source handling path ignores all three constraints entirely. CWE-345 (Insufficient Verification of Data Authenticity) precisely describes this root cause: cryptographic signatures on the assertion may still be verified, but the semantic validity constraints that prevent reuse and misdirection are never checked. The CPE cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* confirms all versions across both release branches are affected prior to the respective fixes.

RemediationAI

Upgrade authentik to version 2025.12.5 (for deployments on the 2025.12.x branch) or 2026.2.3 (for deployments on the 2026.2.x branch); these are the vendor-confirmed patched releases per the advisory at https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2. If immediate upgrade is not feasible, the most effective compensating control is to disable all configured SAML sources in the authentik admin interface, redirecting users to OIDC or LDAP federation - this eliminates the vulnerable code path entirely but will disrupt SAML-federated authentication flows until patching is complete. For organizations that cannot disable SAML, restrict network access to the authentik SAML assertion consumer endpoint to only the IP ranges of trusted identity providers; this reduces exposure to external replay but does not protect against insider or IdP-proximate attackers and should be treated as a temporary measure only. No side effects are associated with the upgrade path.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

Share

EUVD-2026-33987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy