CVE-2026-40165
Deferred Deferred - Pending Action
Authentication Bypass via SAML NameID XML Comment Injection in authentik

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-40165
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.5 (exc)
goauthentik authentik From 2026.2.0-rc1 (inc) to 2026.2.3 (exc)
goauthentik authentik to 2026.2.3 (exc)
goauthentik authentik 2025.12.5
goauthentik authentik 2026.2.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to bypass authentication controls by manipulating the SAML NameID value.

As a result, an attacker could gain unauthorized access to other user accounts within the authentik system.

This compromises the confidentiality and integrity of user accounts and sensitive information.

The CVSS score of 8.7 (High) reflects the significant risk posed by this vulnerability.

Mitigation Strategies

To mitigate the CVE-2026-40165 vulnerability, you should upgrade authentik to a fixed version where the issue is resolved.

  • Upgrade to authentik version 2025.12.5 or later.
  • Alternatively, upgrade to authentik version 2026.2.3 or later.

If upgrading immediately is not possible, apply any available workarounds provided by the authentik project to prevent exploitation.

Executive Summary

CVE-2026-40165 is a security vulnerability in the authentik identity provider involving improper handling of SAML assertions.

The issue arises because authentik extracts the NameID value from a SAML assertion in a way that allows an attacker to inject an XML comment inside the NameID.

This injection truncates the NameID value to only the part before the comment, which can trick authentik into misidentifying the user.

If an attacker has an account on the SAML Source and can modify their NameID value, and XML Signing is enabled, they can exploit this to gain unauthorized access to other user accounts.

The vulnerability affects authentik versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2, and has been fixed in versions 2025.12.5 and 2026.2.3.

Compliance Impact

The vulnerability CVE-2026-40165 allows an attacker to bypass authentication and gain unauthorized access to other user accounts by exploiting a flaw in how authentik processes SAML NameID values. This unauthorized access can lead to exposure or compromise of sensitive personal data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect confidentiality and integrity.

Therefore, if an authentik instance is vulnerable and exploited, it could result in violations of these regulations due to improper access controls and potential data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart