CVE-2026-49448

9.8 CRITICAL

authentik is an open-source identity provider

Published: 2026-06-02 · Last updated: 2026-06-04

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287

Affected products

Vendor	Product
goauthentik	authentik

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49448
[Vendor advisory]https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8
[Vendor advisory]https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8

Related CVEs

Same vendor

CVE-2026-49443 — authentik is an open-source identity provider (8.8 HIGH)
CVE-2026-47201 — authentik is an open-source identity provider (8.5 HIGH)
CVE-2026-42849 — authentik is an open-source identity provider (9.3 CRITICAL)
CVE-2026-41569 — authentik is an open-source identity provider (6.1 MEDIUM)
CVE-2026-41577 — authentik is an open-source identity provider (7.5 HIGH)

Same CWE

CVE-2026-47166 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.7 MEDIUM)
CVE-2026-46705 — Russh is a Rust SSH client & server library (5.3 MEDIUM)
CVE-2022-48575 — A person with access to a Mac may be able to bypass Login Window (3.5 LOW)
CVE-2026-45567 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (8.3 HIGH)
CVE-2026-47838 — SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wr... (6.8 MEDIUM)