BIT-authentik-2026-47201

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-47201.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-authentik-2026-47201

Aliases

CVE-2026-47201
GHSA-c3m2-jqmq-pvp3

Published

2026-06-05T05:38:26.040Z

Modified

2026-06-05T07:56:21.194946966Z

Summary

authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

Details

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.

Database specific

{
    "cpes": [
        "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:go:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / authentik

Package

Name: authentik
Purl: pkg:bitnami/authentik

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.5.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-47201.json"