CVE-2026-42849
9.3 CRITICALauthentik is an open-source identity provider
Published: 2026-06-02 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 9.3 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| goauthentik | authentik |
Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-49448 — authentik is an open-source identity provider (9.8 CRITICAL)
- CVE-2026-49443 — authentik is an open-source identity provider (8.8 HIGH)
- CVE-2026-47201 — authentik is an open-source identity provider (8.5 HIGH)
- CVE-2026-41569 — authentik is an open-source identity provider (6.1 MEDIUM)
- CVE-2026-41577 — authentik is an open-source identity provider (7.5 HIGH)
Same CWE
- CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
- CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
- CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
- CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
- CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)