CRITICAL🇵🇱 Wersja polska

CVE-2026-49448

CVSS 9.8v3.1pub. 2026-06-02upd. 2026-06-04

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

🤖 AI Analysis
How it works

The vulnerability (CWE-287 — improper authentication verification) consists in the fact that the Source Stage mechanism does not properly validate transmitted data during the authentication process. An attacker can send an empty HTTP POST request, which is accepted by the application, thereby bypassing the required identity verification step. No privileges, user interaction, or special network conditions are required — the attack is possible remotely over the network.

Impact

An attacker can bypass authentication mechanisms and gain unauthorized access to resources protected by Authentik, which may result in violations of confidentiality, integrity, and availability of the identity management system.

Mitigation & patch

Goauthentik Authentik should be updated to version 2025.12.6, 2026.2.4, or 2026.5.1, in which the vulnerability has been patched. Details are available in the vendor references on GitHub Security Advisories.

Who is affected

Goauthentik Authentik in all versions prior to 2025.12.6, 2026.2.4, and 2026.5.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Goauthentik Authentik

    APP
    Goauthentik
    < 2025.12.62026.2.0 – 2026.2.4 (bez)2026.5.0 – 2026.5.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-42849CRITICAL9.3PL ✓ten sam produkt

XSS w AutosubmitStage komponentu SFE w Goauthentik Authentik

CVE-2026-25227CRITICAL9.1PL ✓ten sam produkt

RCE w authentik przez endpoint testowy mapowania właściwości

CVE-2024-47070CRITICAL9.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia przez nagłówek X-Forwarded-For w authentik

CVE-2023-46249CRITICAL9.6ten sam produkt

authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admi...

CVE-2023-26481CRITICAL9.1ten sam produkt

authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that ...