Login Sign Up

CVE-2026-25922

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in authentik allows attackers to bypass SAML authentication by injecting malicious assertions before legitimate signed ones. It affects authentik instances with specific SAML Source configurations where signature verification is incomplete. Systems using affected versions are vulnerable to authentication bypass.

💻 Affected Systems

Products:
  • authentik
Versions: All versions prior to 2025.8.6, 2025.10.4, and 2025.12.4
Operating Systems: All platforms running authentik
Default Config Vulnerable: ✅ No
Notes: Only affects SAML Sources with 'Verify Assertion Signature' enabled but 'Verify Response Signature' disabled, or without Encryption Certificate configured.

📦 What is this software?

Authentik by Goauthentik

View all CVEs affecting Authentik →

Authentik by Goauthentik

View all CVEs affecting Authentik →

Authentik by Goauthentik

View all CVEs affecting Authentik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected resources, potentially leading to data breaches or privilege escalation.

🟠

Likely Case

Authentication bypass enabling unauthorized access to applications relying on authentik for SAML authentication.

🟢

If Mitigated

No impact if proper signature verification is enforced or patches are applied.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires understanding of SAML protocol and ability to intercept/modify SAML assertions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.8.6, 2025.10.4, or 2025.12.4

Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4

Restart Required: Yes

Instructions:

1. Backup your authentik configuration and database. 2. Update authentik to version 2025.8.6, 2025.10.4, or 2025.12.4 using your deployment method (Docker, Kubernetes, etc.). 3. Restart authentik services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Enable full SAML signature verification

all

Configure SAML Sources to verify both assertion and response signatures, and ensure Encryption Certificate is properly configured.

🧯 If You Can't Patch

  • Configure SAML Sources to verify both assertion and response signatures
  • Ensure Encryption Certificate is properly configured in Advanced Protocol settings

🔍 How to Verify

Check if Vulnerable:

Check authentik version and SAML Source configuration. If version is below 2025.8.6/2025.10.4/2025.12.4 and SAML Sources have incomplete signature verification, system is vulnerable.

Check Version:

Check authentik admin interface or run: docker exec authentik authentik version (if using Docker)

Verify Fix Applied:

Verify authentik version is 2025.8.6, 2025.10.4, or 2025.12.4 or higher, and test SAML authentication.

📡 Detection & Monitoring

Log Indicators:

  • Multiple SAML assertions in single response
  • Unexpected authentication successes
  • SAML signature validation errors

Network Indicators:

  • Unusual SAML response patterns
  • Multiple assertion elements in SAML responses

SIEM Query:

source="authentik" AND ("SAML" OR "assertion") AND ("error" OR "validation" OR "multiple")

📊 Metadata

CVE ID: CVE-2026-25922
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
EPSS Score: 0.01% exploit probability (0.8th percentile)
Published: February 12, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25922, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)