Skip to main content

authentik EUVDEUVD-2026-34030

| CVE-2026-49448 CRITICAL
Improper Authentication (CWE-287)
2026-06-02 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 22:01 EUVD
Analysis Generated
Jun 02, 2026 - 21:20 vuln.today

DescriptionGitHub Advisory

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

AnalysisAI

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote unauthenticated attackers to circumvent the Source stage by submitting an empty POST request. With a CVSS score of 9.8 and CWE-287 (Improper Authentication), this flaw effectively defeats a core identity verification control; no public exploit identified at time of analysis, though the trivial trigger condition makes weaponization straightforward once details are widely studied.

Technical ContextAI

Authentik is an open-source identity provider (CPE: cpe:2.3:a:goauthentik:authentik) that uses a flow-based authentication architecture where each 'stage' performs a discrete identity verification step. The 'Source stage' specifically handles authentication against external identity sources (such as OAuth, SAML, or LDAP providers) as part of a multi-step flow. The root cause maps to CWE-287 (Improper Authentication): the stage fails to validate that a POST submission contains the expected payload, so an empty body short-circuits the stage's verification logic and treats the request as if it had successfully completed source authentication.

RemediationAI

Vendor-released patch: upgrade to authentik 2025.12.6, 2026.2.4, or 2026.5.1 depending on which release branch you track, per advisory GHSA-xp7f-xjjx-gwm8 (https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8). If you cannot patch immediately, restrict network reachability of the authentik flow endpoints to trusted networks or place a WAF/reverse proxy rule in front that rejects POST requests with empty bodies to the Source stage endpoint (trade-off: may block legitimate edge cases and requires you to identify the exact stage URL pattern), and consider temporarily disabling flows that include a Source stage if your deployment can tolerate the loss of external IdP login until patching completes.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

CVE-2026-25922 HIGH
8.8 Feb 12

authentik is an open-source identity provider. [CVSS 8.8 HIGH]

Share

EUVD-2026-34030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy