CVE-2026-49443

8.8 HIGH

authentik is an open-source identity provider

Published: 2026-06-02 · Last updated: 2026-06-04

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287

Affected products

Vendor	Product
goauthentik	authentik

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49443
[Vendor advisory]https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr
[Vendor advisory]https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr

Related CVEs

Same vendor

CVE-2026-49448 — authentik is an open-source identity provider (9.8 CRITICAL)
CVE-2026-47201 — authentik is an open-source identity provider (8.5 HIGH)
CVE-2026-42849 — authentik is an open-source identity provider (9.3 CRITICAL)
CVE-2026-41569 — authentik is an open-source identity provider (6.1 MEDIUM)
CVE-2026-41577 — authentik is an open-source identity provider (7.5 HIGH)

Same CWE

CVE-2026-47166 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.7 MEDIUM)
CVE-2026-46705 — Russh is a Rust SSH client & server library (5.3 MEDIUM)
CVE-2022-48575 — A person with access to a Mac may be able to bypass Login Window (3.5 LOW)
CVE-2026-45567 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (8.3 HIGH)
CVE-2026-47838 — SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wr... (6.8 MEDIUM)