authentik Identity Provider Vulnerabilities (CVE-2026-49448, CVE-2026-47201, CVE-2026-49443, CVE-2026-41569, CVE-2026-41577): Source Stage Bypass, SAML Wrapping, and Federation Flaws

nick

authentik Identity Provider Vulnerabilities (CVE-2026-49448, CVE-2026-47201, CVE-2026-49443, CVE-2026-41569, CVE-2026-41577): Source Stage Bypass, SAML Wrapping, and Federation Flaws

by

Five vulnerabilities have been disclosed in authentik, the open-source identity provider, affecting versions prior to the 2025.12.6, 2026.2.4, and 2026.5.1 patch releases. The most severe — CVE-2026-49448 (CVSS 9.8 Critical) — allows complete bypass of the Source authentication stage. Organisations using authentik for single sign-on, identity federation, or user authentication should apply the coordinated patch bundle immediately.

What Are the Vulnerabilities?

CVE-2026-49448 — Source Stage Bypass (CVSS 9.8 Critical): The Source stage — a core authentication flow component in authentik that handles user authentication against external identity sources — can be bypassed by sending an empty POST request. An attacker who discovers a flow that uses Source authentication can skip the authentication challenge entirely and proceed as if successfully authenticated, gaining unauthorised access to applications and services protected by authentik. This is the most critical of the five vulnerabilities and requires immediate patching.

CVE-2026-47201 — SAML XML Signature Wrapping (CVSS 8.1 High): authentik’s SAML Source ACS (Assertion Consumer Service) endpoint is vulnerable to XML Signature Wrapping attacks. An attacker with a valid SAML assertion from a trusted identity provider can manipulate the XML structure to make the SAML response appear to be about a different user while the signature remains valid, enabling user impersonation across federated identity boundaries.

CVE-2026-49443 — Source Connection Account Takeover (CVSS 7.5 High): An attacker who has the ability to modify a source connection configuration and possesses a valid account in one identity provider can leverage this to gain access to accounts in a different connected identity provider, effectively crossing identity boundaries through source connection manipulation.

CVE-2026-41569 — WS-Federation wreply Open Redirect (CVSS 6.1 Medium): The WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL validation. An attacker can craft a wreply value that passes the prefix check but redirects the user to an attacker-controlled domain after authentication, enabling token theft or phishing.

CVE-2026-41577 — SAML Condition Validation Bypass (CVSS 5.3 Medium): The SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element of SAML responses. This could allow an attacker to replay expired SAML assertions or bypass intended temporal restrictions on authentication.

Which Versions Are Affected?

  • authentik versions prior to 2025.12.6
  • authentik versions prior to 2026.2.4
  • authentik versions prior to 2026.5.1

authentik is widely deployed as an alternative to commercial identity providers (Okta, Azure AD/Entra ID, Ping Identity) and as the identity layer for self-hosted and open-source infrastructure stacks.

Is It Being Exploited in the Wild?

No active exploitation has been publicly reported. However, the Source stage bypass (CVE-2026-49448, CVSS 9.8) is trivially exploitable with a single empty POST request — no credentials, no complex exploit chain. Any internet-facing authentik deployment with Source-stage-protected flows should be patched immediately.

What Is the Fix?

Update authentik to one of the patched versions: 2025.12.6, 2026.2.4, or 2026.5.1. All five vulnerabilities are addressed in these releases. After updating, verify the installed version in the authentik admin interface and review authentication logs for anomalous Source-stage logins or SAML authentication events.

Recommendations

Patch authentik immediately. The CVSS 9.8 Source stage bypass is an emergency-patch scenario for any organisation relying on authentik for user authentication. Apply the update today.

Audit Source-stage-protected flows. After patching, review authentik flows that use Source authentication stages and verify that they are functioning correctly with the updated version. Check authentication logs for any Source-stage authentications that succeeded without corresponding identity provider challenges.

Review SAML and WS-Federation configurations. The SAML wrapping and federation vulnerabilities (CVE-2026-47201, CVE-2026-41569, CVE-2026-41577) affect federated identity scenarios. Review your SAML and WS-Federation relying party configurations and ensure your identity provider(s) are also applying security updates.

References

This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!