CRITICAL🇵🇱 Wersja polska

CVE-2026-42849

CVSS 9.3v3.1pub. 2026-06-02upd. 2026-06-04

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Goauthentik Authentik

    APP
    Goauthentik
    < 2025.12.52026.2.0 – 2026.2.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-49448CRITICAL9.8PL ✓ten sam produkt

Pominięcie etapu uwierzytelniania (Source Stage) w Goauthentik Authentik

CVE-2026-25227CRITICAL9.1PL ✓ten sam produkt

RCE w authentik przez endpoint testowy mapowania właściwości

CVE-2024-47070CRITICAL9.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia przez nagłówek X-Forwarded-For w authentik

CVE-2023-46249CRITICAL9.6ten sam produkt

authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admi...

CVE-2023-26481CRITICAL9.1ten sam produkt

authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that ...