CVE-2026-49443
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Authentik Identity Provider

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-49443
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.6 (exc)
goauthentik authentik From 2026.2.0 (inc) to 2026.2.4 (exc)
goauthentik authentik From 2026.5.0 (inc) to 2026.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves unauthorized modification of the fields `UserSourceConnection.user` and `GroupSourceConnection.group` through the authentik API. Detection would involve monitoring API requests for unexpected changes to these fields.

To detect exploitation attempts, you can audit authentik API logs for PATCH or PUT requests that modify source connections, especially changes to user or group fields.

Since the vulnerability requires low privileges but allows privilege escalation, monitoring for unusual source connection modifications by non-admin users is critical.

Specific commands depend on your logging and monitoring setup, but examples include:

  • Using grep or similar tools to search authentik API logs for modifications to `UserSourceConnection.user` or `GroupSourceConnection.group` fields.
  • Example command to search logs: `grep -iE 'UserSourceConnection.user|GroupSourceConnection.group' /var/log/authentik/api.log`
  • If using a SIEM or log management system, create alerts for API calls that modify source connections or user/group mappings.

Additionally, verify the authentik version in use. Versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 are vulnerable. Running the command to check the installed version can help identify if the system is at risk.

  • Example command to check version: `authentik --version` or check the version in your deployment manifests or package manager.
Compliance Impact

This vulnerability allows an attacker with certain privileges to log into any account by changing a source connection, which can lead to unauthorized access to sensitive personal or protected health information.

Such unauthorized access could result in violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict controls on access to personal and health data to ensure confidentiality and integrity.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data to unauthorized parties.

Executive Summary

This vulnerability affects authentik, an open-source identity provider. Before certain fixed versions, an attacker who can modify a source connection and has an account in one of the configured sources could exploit this to log into any account.

Impact Analysis

The vulnerability allows an attacker with limited privileges to escalate access and log into any user account. This can lead to unauthorized access to sensitive information, full compromise of user accounts, and potentially complete control over the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade authentik to one of the patched versions: 2025.12.6, 2026.2.4, or 2026.5.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart