CVE-2026-41577
SAML Assertion Replay in Authentik
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.12.5 (exc) |
| goauthentik | authentik | to 2026.2.3 (exc) |
| goauthentik | authentik | to 2025.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in authentik's SAML source response processor occurs because it does not validate the Conditions element on assertions. Specifically, it ignores the NotBefore, NotOnOrAfter, and AudienceRestriction checks.
As a result, attackers can replay expired assertions or use assertions that were intended for other service providers, potentially bypassing intended security restrictions.
How can this vulnerability impact me? :
This vulnerability can allow attackers to reuse expired SAML assertions or use assertions meant for different service providers, which can lead to unauthorized access.
Such unauthorized access could compromise the security of your identity provider system, potentially allowing attackers to impersonate users or gain access to protected resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-41577 vulnerability, you should upgrade authentik to version 2025.12.5 or later, or 2026.2.3 or later, where the issue has been patched.
If upgrading immediately is not possible, apply any available workarounds to reduce the risk of replay attacks and acceptance of assertions intended for other service providers.