CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/06/05 5:38 a.m.•5 views

BIT-AUTHENTIK-2026-42849 authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS5.3AI score0.00318EPSS

OSV•added 2026/06/05 5:38 a.m.•5 views

BIT-AUTHENTIK-2026-41577 authentik: SAML source does not validate Conditions, timing, or audience on assertions

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor ResponseProcessor.parse does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expir...

7.5CVSS5.4AI score0.00169EPSS

NVD•added 2026/06/02 9:16 p.m.•9 views

CVE-2026-42849

9.3CVSS0.00318EPSS

NVD•added 2026/06/02 9:16 p.m.•10 views

CVE-2026-47201

8.5CVSS0.00252EPSS

CVE•added 2026/06/02 8:30 p.m.•15 views

CVE-2026-41569

CVE-2026-41569 concerns authentik, an open-source identity provider. Before 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter with a raw string prefix check instead of proper URL parsing, enabling an attacker to craft a login link with a wreply on a different origi...

Exploits0References1Affected Software1

Vulnrichment•added 2026/06/02 8:30 p.m.•8 views

CVE-2026-41569 authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin...

EUVD•added 2026/06/02 8:30 p.m.•9 views

EUVD-2026-34025

Vulnrichment•added 2026/06/02 5:12 p.m.•10 views

CVE-2026-41577 authentik: SAML source does not validate Conditions, timing, or audience on assertions

6.9CVSS5.7AI score0.00169EPSS

Positive Technologies•added 2026/06/02 12:0 a.m.•10 views

PT-2026-45854

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2026.2.3 Description The WS-Federation provider in this open-source identity provider validates the user-supplied wreply parameter using a raw string prefix check instead of proper URL parsing. An attacker can craft...

CNNVD•added 2026/06/02 12:0 a.m.•4 views

Exploits0References5

authentik 输入验证错误漏洞

Authentik is an open-source identity provisioning application. Versions of Authentik prior to 2026.2.3 had a vulnerability related to input validation errors. This vulnerability stemmed from the WS-Federation provider’s use of raw string prefixes for validation instead of proper URL parsing, whic...

6.9CVSS5.3AI score0.00182EPSS

Positive Technologies•added 2026/06/02 12:0 a.m.•11 views

PT-2026-45855

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions prior to 2026.2.3 Description An issue exists in the Simple Flow Executor SFE, which is a component used to manage the sequence of steps in an authentication flow. Due to the...

9.3CVSS5.6AI score0.00318EPSS

Exploits0References7

Snyk•added 2026/05/22 9:41 p.m.•6 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in PATCH /api/v3/core/users/pk/. An attacker can gain elevated privileges by assigning arbitrary groups, including those with administrator-equivalent permissions, to users they control or have access to,...

8.1CVSS5.9AI score0.00464EPSS

CVE•added 2026/05/22 7:0 p.m.•31 views

CVE-2026-40172

The CVE-2026-40172 entry concerns authentik (open-source ID provider). A flaw in PATCH /api/v3/core/users/{pk}/ lets a caller with change_user on a target user assign arbitrary groups via UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser. This resul...

8.1CVSS5.9AI score0.00464EPSS

Cvelist•added 2026/05/22 7:0 p.m.•7 views

CVE-2026-40172 authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS0.00464EPSS

CVE•added 2026/05/22 6:52 p.m.•32 views

CVE-2026-40166

authentik contains an elevation of privilege in its OAuth2 access_tokens API (GET /api/v3/oauth2/access_tokens/) where authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential providers they previously authenticated against. This exposed i...

7.1CVSS5.7AI score0.00373EPSS

NVD•added 2026/05/21 12:16 a.m.•13 views

CVE-2026-40165

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an...

8.7CVSS0.00393EPSS