BIT-authentik-2026-49448

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-49448.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-authentik-2026-49448

Aliases

CVE-2026-49448

Published

2026-06-05T05:38:29.670Z

Modified

2026-06-05T07:45:25.054146740Z

Summary

authentik: SourceStage bypass via empty POST

Details

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / authentik

Package

Name: authentik
Purl: pkg:bitnami/authentik

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.12.6

Introduced

2026.0.0

Fixed

2026.2.4

Introduced

2026.3.0

Fixed

2026.5.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-49448.json"