authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
The vulnerability (CWE-287 — improper authentication verification) consists in the fact that the Source Stage mechanism does not properly validate transmitted data during the authentication process. An attacker can send an empty HTTP POST request, which is accepted by the application, thereby bypassing the required identity verification step. No privileges, user interaction, or special network conditions are required — the attack is possible remotely over the network.
An attacker can bypass authentication mechanisms and gain unauthorized access to resources protected by Authentik, which may result in violations of confidentiality, integrity, and availability of the identity management system.
Goauthentik Authentik should be updated to version 2025.12.6, 2026.2.4, or 2026.5.1, in which the vulnerability has been patched. Details are available in the vendor references on GitHub Security Advisories.
Goauthentik Authentik in all versions prior to 2025.12.6, 2026.2.4, and 2026.5.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoauthentik Authentik
APPGoauthentik< 2025.12.62026.2.0 – 2026.2.4 (bez)2026.5.0 – 2026.5.1 (bez)
Related vulnerabilities
XSS w AutosubmitStage komponentu SFE w Goauthentik Authentik
RCE w authentik przez endpoint testowy mapowania właściwości
Pominięcie uwierzytelnienia przez nagłówek X-Forwarded-For w authentik
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admi...
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that ...