CVE-2026-41577
Analyzed Analyzed - Analysis Complete
SAML Assertion Replay in Authentik

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-41577
EUVD
EUVD-2026-33987
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.5 (exc)
goauthentik authentik From 2026.2.0 (inc) to 2026.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows replay of expired SAML assertions and acceptance of assertions intended for other service providers due to lack of validation of the Conditions element. This can lead to unauthorized access or impersonation.

Such unauthorized access risks can impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Failure to properly validate authentication assertions could result in data breaches or unauthorized data processing, potentially violating these regulations.

Executive Summary

The vulnerability in authentik's SAML source response processor occurs because it does not validate the Conditions element on assertions. Specifically, it ignores the NotBefore, NotOnOrAfter, and AudienceRestriction checks.

As a result, attackers can replay expired assertions or use assertions that were intended for other service providers, potentially bypassing intended security restrictions.

Impact Analysis

This vulnerability can allow attackers to reuse expired SAML assertions or use assertions meant for different service providers, which can lead to unauthorized access.

Such unauthorized access could compromise the security of your identity provider system, potentially allowing attackers to impersonate users or gain access to protected resources.

Mitigation Strategies

To mitigate the CVE-2026-41577 vulnerability, you should upgrade authentik to version 2025.12.5 or later, or 2026.2.3 or later, where the issue has been patched.

If upgrading immediately is not possible, apply any available workarounds to reduce the risk of replay attacks and acceptance of assertions intended for other service providers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart