CVE-2026-47201
XML Signature Wrapping in authentik SAML Source
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2026.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability affects authentik's SAML Source ACS endpoint prior to versions 2025.12.5, 2026.2.3, and 2026.5.1. It is an XML Signature Wrapping issue that occurs when validating upstream SAML responses.
An attacker who has any account at the upstream Identity Provider (IdP) can exploit this vulnerability by reusing a valid signed assertion to authenticate as another federated user.
This means the attacker can impersonate other users without having their credentials.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker with limited privileges to authenticate as any other federated user.
- Unauthorized access to sensitive data or systems.
- Potential full compromise of user accounts within the federated environment.
- Loss of trust in the authentication system.
- Possible disruption of services due to unauthorized actions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade authentik to one of the patched versions: 2025.12.5, 2026.2.3, or 2026.5.1.