CVE-2026-25227
📋 TL;DR
This vulnerability in authentik allows authenticated users with specific delegated permissions to execute arbitrary code on the authentik server container via the test endpoint. It affects authentik deployments running versions from 2021.3.1 up to (but not including) 2025.8.6, 2025.10.4, and 2025.12.4. Users with 'Can view * Property Mapping' or 'Can view Expression Policy' permissions are at risk.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the authentik server container leading to complete control over the identity provider, credential theft, lateral movement to connected systems, and potential persistence in the environment.
Likely Case
Authenticated attackers with delegated permissions gain remote code execution, allowing them to steal sensitive authentication data, modify user permissions, or disrupt identity services.
If Mitigated
With proper access controls limiting delegated permissions and network segmentation, impact is reduced to potential service disruption rather than full compromise.
🎯 Exploit Status
Exploitation requires authenticated access with specific delegated permissions. The test endpoint is intended for preview functionality but allows code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.8.6, 2025.10.4, or 2025.12.4
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2025.8.6, 2025.10.4, or 2025.12.4 using your deployment method (Docker, Kubernetes, etc.). 3. Restart the authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable test endpoint access
allRestrict access to the test endpoint for property mappings and expression policies
Modify authentik configuration to remove or restrict '/api/v3/property-mappings/test/' and '/api/v3/policies/expression/test/' endpoints
Review and restrict delegated permissions
allAudit and remove 'Can view * Property Mapping' and 'Can view Expression Policy' permissions from users who don't absolutely need them
Use authentik admin interface to review user permissions and remove unnecessary delegated permissions
🧯 If You Can't Patch
- Immediately review and restrict all delegated permissions, especially 'Can view * Property Mapping' and 'Can view Expression Policy'
- Implement network segmentation to isolate authentik servers from critical systems and monitor for suspicious test endpoint activity
🔍 How to Verify
Check if Vulnerable:
Check your authentik version and verify if users have 'Can view * Property Mapping' or 'Can view Expression Policy' delegated permissionsCheck Version:
docker exec authentik authentik version (for Docker deployments) or check the admin interface version informationVerify Fix Applied:
Confirm authentik version is 2025.8.6, 2025.10.4, or 2025.12.4 or later, and test that the test endpoint no longer allows code execution📡 Detection & Monitoring
Log Indicators:
- Unusual test endpoint usage patterns
- Multiple failed or successful test endpoint requests from single users
- Unexpected process execution in authentik container logs
Network Indicators:
- Unusual outbound connections from authentik server
- Traffic to test endpoints with suspicious payloads
SIEM Query:
source="authentik" AND (uri_path="/api/v3/property-mappings/test/" OR uri_path="/api/v3/policies/expression/test/") AND status=200🔗 References
- https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80
- https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4
- https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4
- https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6
- https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f
