CVE-2026-25922
SAML Assertion Injection in authentik Identity Provider
Publication date: 2026-02-12
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.8.6 (exc) |
| goauthentik | authentik | From 2025.10.0 (inc) to 2025.10.4 (exc) |
| goauthentik | authentik | From 2025.12.0 (inc) to 2025.12.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for malicious SAML assertions injected before the legitimate signed assertion in the authentik SAML Source configuration.
One suggested method to help detect exploitation attempts is to add a property mapping expression to detect duplicate assertions, for example, using an expression like assertions = root.
Specific commands are not provided in the available resources.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25922 is a high-severity vulnerability in the authentik open-source identity provider. It occurs when using a SAML Source configured with the "Verify Assertion Signature" option enabled but without enabling "Verify Response Signature", or when the Encryption Certificate is not set under Advanced Protocol settings.'}, {'type': 'paragraph', 'content': 'Under these conditions, an attacker can inject a malicious SAML assertion before the legitimate signed assertion. authentik would then accept and use this malicious assertion instead of the legitimate one.'}, {'type': 'paragraph', 'content': 'This flaw allows an attacker to authenticate as any existing user depending on the source configuration, due to improper authentication and improper verification of cryptographic signatures.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to user accounts by attackers who inject malicious assertions.
Because the attacker can authenticate as any existing user, this compromises confidentiality, integrity, and availability of the system.
- Confidentiality impact: attacker can access sensitive user data.
- Integrity impact: attacker can perform actions as legitimate users.
- Availability impact: attacker could disrupt services or user access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade authentik to one of the patched versions: 2025.8.6, 2025.10.4, or 2025.12.4.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, you can mitigate the vulnerability by configuring the SAML Source to enable the "Verify Response Signature" option or by setting the Encryption Certificate under Advanced Protocol settings.'}, {'type': 'paragraph', 'content': 'Additionally, adding a property mapping expression to detect duplicate assertions (e.g., assertions = root) can help reduce the risk of exploitation.'}] [1]