CVE-2026-25922
Undergoing Analysis Undergoing Analysis - In Progress
SAML Assertion Injection in authentik Identity Provider

Publication date: 2026-02-12

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25922
EUVD
EUVD-2026-6701
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.8.6 (exc)
goauthentik authentik From 2025.10.0 (inc) to 2025.10.4 (exc)
goauthentik authentik From 2025.12.0 (inc) to 2025.12.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves monitoring for malicious SAML assertions injected before the legitimate signed assertion in the authentik SAML Source configuration.

One suggested method to help detect exploitation attempts is to add a property mapping expression to detect duplicate assertions, for example, using an expression like assertions = root.

Specific commands are not provided in the available resources.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25922 is a high-severity vulnerability in the authentik open-source identity provider. It occurs when using a SAML Source configured with the "Verify Assertion Signature" option enabled but without enabling "Verify Response Signature", or when the Encryption Certificate is not set under Advanced Protocol settings.'}, {'type': 'paragraph', 'content': 'Under these conditions, an attacker can inject a malicious SAML assertion before the legitimate signed assertion. authentik would then accept and use this malicious assertion instead of the legitimate one.'}, {'type': 'paragraph', 'content': 'This flaw allows an attacker to authenticate as any existing user depending on the source configuration, due to improper authentication and improper verification of cryptographic signatures.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to user accounts by attackers who inject malicious assertions.

Because the attacker can authenticate as any existing user, this compromises confidentiality, integrity, and availability of the system.

  • Confidentiality impact: attacker can access sensitive user data.
  • Integrity impact: attacker can perform actions as legitimate users.
  • Availability impact: attacker could disrupt services or user access.
Compliance Impact

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade authentik to one of the patched versions: 2025.8.6, 2025.10.4, or 2025.12.4.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, you can mitigate the vulnerability by configuring the SAML Source to enable the "Verify Response Signature" option or by setting the Encryption Certificate under Advanced Protocol settings.'}, {'type': 'paragraph', 'content': 'Additionally, adding a property mapping expression to detect duplicate assertions (e.g., assertions = root) can help reduce the risk of exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart