CVE-2026-25227
Undergoing Analysis Undergoing Analysis - In Progress
Remote Code Execution via Delegated Permissions in authentik Server

Publication date: 2026-02-12

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25227
EUVD
EUVD-2026-6707
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
goauthentik authentik From 2025.10.0 (inc) to 2025.10.4 (exc)
goauthentik authentik From 2025.12.0 (inc) to 2025.12.4 (exc)
goauthentik authentik From 2021.3.1 (inc) to 2025.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25227 is a critical authenticated remote code execution vulnerability in the authentik identity provider. It affects versions from 2021.3.1 up to but not including 2025.8.6, 2025.10.4, and 2025.12.4. The vulnerability exists in the Policy/Property Mapping test endpoint, which is intended to preview how property mappings or expression policies work.'}, {'type': 'paragraph', 'content': 'Users with delegated permissions that include either "Can view * Property Mapping" or "Can view Expression Policy" can exploit this endpoint to execute arbitrary Python code within the authentik server container. This happens because the endpoint improperly handles and sanitizes expressions, allowing malicious input to be executed.'}, {'type': 'paragraph', 'content': 'Exploiting this vulnerability grants attackers access to the entire authentik database and environment variables, enabling privilege escalation and full instance takeover.'}] [1, 3]

Impact Analysis

This vulnerability allows an authenticated user with certain delegated view permissions to execute arbitrary code on the authentik server. The impact includes:

  • Execution of arbitrary Python code within the server container.
  • Access to the entire authentik database and all environment variables.
  • Privilege escalation leading to full compromise of the authentik instance.
  • Potential loss of confidentiality, integrity, and availability of the authentik service.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying users who have the delegated permissions "Can view * Property Mapping" or "Can view Expression Policy" and checking if they are able to access the test endpoint that previews property mappings or policies.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves execution of arbitrary code through the test endpoint, monitoring or logging requests to this endpoint for suspicious or unexpected input patterns could help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade authentik to a fixed version: 2025.8.6, 2025.10.4, or 2025.12.4, where the vulnerability has been addressed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately feasible, revoke the delegated permissions "Can view * Property Mapping" and "Can view Expression Policy" from any users who do not require administrative privileges. These view permissions should be treated with the same caution as edit permissions.'}] [1, 3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25227. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart