CVE-2026-41577
Analyzed Analyzed - Analysis Complete

SAML Assertion Replay in Authentik

Vulnerability report for CVE-2026-41577, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-07-13
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.5 (exc)
goauthentik authentik From 2026.2.0 (inc) to 2026.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows replay of expired SAML assertions and acceptance of assertions intended for other service providers due to lack of validation of the Conditions element. This can lead to unauthorized access or impersonation.

Such unauthorized access risks can impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Failure to properly validate authentication assertions could result in data breaches or unauthorized data processing, potentially violating these regulations.

Executive Summary

The vulnerability in authentik's SAML source response processor occurs because it does not validate the Conditions element on assertions. Specifically, it ignores the NotBefore, NotOnOrAfter, and AudienceRestriction checks.

As a result, attackers can replay expired assertions or use assertions that were intended for other service providers, potentially bypassing intended security restrictions.

Impact Analysis

This vulnerability can allow attackers to reuse expired SAML assertions or use assertions meant for different service providers, which can lead to unauthorized access.

Such unauthorized access could compromise the security of your identity provider system, potentially allowing attackers to impersonate users or gain access to protected resources.

Mitigation Strategies

To mitigate the CVE-2026-41577 vulnerability, you should upgrade authentik to version 2025.12.5 or later, or 2026.2.3 or later, where the issue has been patched.

If upgrading immediately is not possible, apply any available workarounds to reduce the risk of replay attacks and acceptance of assertions intended for other service providers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart