CVE-2026-49448

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

CVE-2026-49443

This CVE affects authentik, an open-source identity provider. Affected: UserSourceConnection.user and GroupSourceConnection.group are changeable via the API, allowing an attacker who can modify a source connection and possesses an account in one configured source to log into any account. Root cau...

CVE-2026-47201 authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed...

PT-2026-45029

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions prior to 2026.2.3 authentik versions prior to 2026.5.1 Description The SAML Source ACS endpoint is susceptible to XML Signature Wrapping, a technique where a valid signature is used to...

authentik 安全漏洞

Authentik is an open-source identity provisioning application developed by Authentik. Versions of Authentik prior to 2025.12.5, as well as versions from 2026.2.0-rc1 to 2026.2.2, contained security vulnerabilities. These vulnerabilities stemmed from the fact that the API response for GET...

CVE-2026-40165

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an...

authentik 安全漏洞

Authentik is an open-source identity provisioning application developed by Authentik. Versions of Authentik prior to 2025.12.4, as well as versions from 2026.2.0-rc1 to 2026.2.2, contain security vulnerabilities. These vulnerabilities stem from XML injection in SAML NameID fields, which could all...

BIT-AUTHENTIK-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known logi...

CVE-2026-25748

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious...

CVE-2026-25227

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server contain...

authentik 安全漏洞

authentik is an open source identity provisioning application from authentik Open Source. A security vulnerability exists in authentik versions prior to 2025.8.5 and prior to 2025.10.2, which stems from a service account that can still be authenticated after deactivation, potentially leading to...

EUVD-2022-28570

Malicious code in bioql PyPI...

EUVD-2023-30289

Malicious code in bioql PyPI...

EUVD-2024-42259

Malicious code in bioql PyPI...

authentik 安全漏洞

authentik is an open source identity provisioning application from authentik Open Source. A security vulnerability exists in authentik versions 2025.4.4 and earlier and 2025.6.0-rc1 through 2025.6.3, which stems from insufficient validation of OAuth/SAML account status, and may result in some...

CVE-2025-52553

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, howev...

CVE-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, howev...

CVE-2024-47070

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known logi...

CVE-2022-46145

authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified...

CVE-2024-11623 Stored XSS in authentik

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release...