CVE-2026-25227
Remote Code Execution via Delegated Permissions in authentik Server
Publication date: 2026-02-12
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | From 2025.10.0 (inc) to 2025.10.4 (exc) |
| goauthentik | authentik | From 2025.12.0 (inc) to 2025.12.4 (exc) |
| goauthentik | authentik | From 2021.3.1 (inc) to 2025.8.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25227 is a critical authenticated remote code execution vulnerability in the authentik identity provider. It affects versions from 2021.3.1 up to but not including 2025.8.6, 2025.10.4, and 2025.12.4. The vulnerability exists in the Policy/Property Mapping test endpoint, which is intended to preview how property mappings or expression policies work.'}, {'type': 'paragraph', 'content': 'Users with delegated permissions that include either "Can view * Property Mapping" or "Can view Expression Policy" can exploit this endpoint to execute arbitrary Python code within the authentik server container. This happens because the endpoint improperly handles and sanitizes expressions, allowing malicious input to be executed.'}, {'type': 'paragraph', 'content': 'Exploiting this vulnerability grants attackers access to the entire authentik database and environment variables, enabling privilege escalation and full instance takeover.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with certain delegated view permissions to execute arbitrary code on the authentik server. The impact includes:
- Execution of arbitrary Python code within the server container.
- Access to the entire authentik database and all environment variables.
- Privilege escalation leading to full compromise of the authentik instance.
- Potential loss of confidentiality, integrity, and availability of the authentik service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying users who have the delegated permissions "Can view * Property Mapping" or "Can view Expression Policy" and checking if they are able to access the test endpoint that previews property mappings or policies.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves execution of arbitrary code through the test endpoint, monitoring or logging requests to this endpoint for suspicious or unexpected input patterns could help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade authentik to a fixed version: 2025.8.6, 2025.10.4, or 2025.12.4, where the vulnerability has been addressed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately feasible, revoke the delegated permissions "Can view * Property Mapping" and "Can view Expression Policy" from any users who do not require administrative privileges. These view permissions should be treated with the same caution as edit permissions.'}] [1, 3, 2]