CVE-2026-40165
Authentication Bypass via SAML NameID XML Comment Injection in authentik
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.12.5 (exc) |
| goauthentik | authentik | From 2026.2.0-rc1 (inc) to 2026.2.3 (exc) |
| goauthentik | authentik | to 2026.2.3 (exc) |
| goauthentik | authentik | 2025.12.5 |
| goauthentik | authentik | 2026.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication controls by manipulating the SAML NameID value.
As a result, an attacker could gain unauthorized access to other user accounts within the authentik system.
This compromises the confidentiality and integrity of user accounts and sensitive information.
The CVSS score of 8.7 (High) reflects the significant risk posed by this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-40165 vulnerability, you should upgrade authentik to a fixed version where the issue is resolved.
- Upgrade to authentik version 2025.12.5 or later.
- Alternatively, upgrade to authentik version 2026.2.3 or later.
If upgrading immediately is not possible, apply any available workarounds provided by the authentik project to prevent exploitation.
Can you explain this vulnerability to me?
CVE-2026-40165 is a security vulnerability in the authentik identity provider involving improper handling of SAML assertions.
The issue arises because authentik extracts the NameID value from a SAML assertion in a way that allows an attacker to inject an XML comment inside the NameID.
This injection truncates the NameID value to only the part before the comment, which can trick authentik into misidentifying the user.
If an attacker has an account on the SAML Source and can modify their NameID value, and XML Signing is enabled, they can exploit this to gain unauthorized access to other user accounts.
The vulnerability affects authentik versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2, and has been fixed in versions 2025.12.5 and 2026.2.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-40165 allows an attacker to bypass authentication and gain unauthorized access to other user accounts by exploiting a flaw in how authentik processes SAML NameID values. This unauthorized access can lead to exposure or compromise of sensitive personal data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect confidentiality and integrity.
Therefore, if an authentik instance is vulnerable and exploited, it could result in violations of these regulations due to improper access controls and potential data exposure.