CVE-2026-42849
Analyzed Analyzed - Analysis Complete
Stored XSS in Authentik Identity Provider

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42849
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.5 (exc)
goauthentik authentik From 2026.2.0 (inc) to 2026.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in authentik, an open-source identity provider, due to the implementation of stages in the Simple Flow Executor (SFE) designed to improve compatibility with legacy browsers. Specifically, it was possible to exploit a cross-site scripting (XSS) vulnerability in the AutosubmitStage component before versions 2025.12.5 and 2026.2.3, which have since patched the issue.

Compliance Impact

The vulnerability in authentik allows an XSS exploit in the AutosubmitStage, which can lead to high impact on confidentiality and integrity of data.

Such a vulnerability could potentially affect compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.

However, specific impacts on compliance are not detailed in the provided information.

Impact Analysis

The vulnerability allows an attacker to perform a cross-site scripting (XSS) attack, which can lead to severe impacts such as complete compromise of confidentiality and integrity of data. According to the CVSS score of 9.3, this vulnerability can be exploited remotely without privileges and requires user interaction, potentially allowing attackers to execute malicious scripts in the context of the affected application, leading to data theft or manipulation.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade authentik to version 2025.12.5 or later, or version 2026.2.3 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart