CVE-2026-41569
Analyzed Analyzed - Analysis Complete
WS-Federation wreply Parameter Origin Validation Bypass in Authentik

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-41569
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
goauthentik authentik to 2026.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in authentik, an open-source identity provider, specifically in its WS-Federation provider before version 2026.2.3. The issue is that the provider validates the user-supplied wreply parameter using a raw string prefix check instead of proper URL parsing.

An attacker can craft a login link with a wreply value that appears to be from a trusted origin but is actually from a malicious domain (for example, https://portal.example.com.evil.tld/). Because of the flawed validation, the victim's browser will send the signed WS-Federation login response to the attacker's infrastructure.

This can lead to the attacker receiving sensitive authentication tokens or information. The vulnerability was fixed in version 2026.2.3.

Impact Analysis

This vulnerability can allow an attacker to intercept authentication responses by tricking a user into clicking a specially crafted login link.

As a result, the attacker could potentially capture signed WS-Federation login responses, which may include sensitive authentication tokens or credentials.

This could lead to unauthorized access to user accounts or systems that rely on authentik for identity management.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade authentik to version 2026.2.3 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41569. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart