CVE-2026-49448
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Authentik via Empty POST

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-49448
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
goauthentik authentik to 2025.12.6 (exc)
goauthentik authentik From 2026.2.0 (inc) to 2026.2.4 (exc)
goauthentik authentik From 2026.5.0 (inc) to 2026.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects authentik, an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, it was possible to bypass the Source stage by sending an empty POST request. This means that an attacker could circumvent a security step in the authentication process.

Compliance Impact

The vulnerability allows an attacker to bypass the authentication Source stage without presenting any credentials, effectively enabling unauthorized access.

Such unauthorized access can lead to breaches of confidentiality, integrity, and availability of sensitive data, which are critical concerns under compliance frameworks like GDPR and HIPAA.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing protected personal or health information to unauthorized parties.

Detection Guidance

This vulnerability can be detected by monitoring for empty POST requests sent to the authentik authentication system's Source stage endpoint. An empty POST request that bypasses the Source stage indicates the presence of this vulnerability.

To detect such attempts on your system or network, you can use network traffic analysis tools or web server logs to identify POST requests with empty bodies targeting authentik endpoints.

Example commands to detect empty POST requests in web server logs (assuming Apache logs):

  • grep 'POST' /var/log/apache2/access.log | grep -E '"POST /.* HTTP/1.[01]" 200' | awk '{print $0}' | while read line; do echo "$line"; done
  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests with no payload.
  • Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' to capture HTTP traffic and then manually inspect for empty POST bodies.

Additionally, reviewing authentik logs for authentication flows that advance without expected credential challenges may help identify exploitation attempts.

Impact Analysis

The vulnerability has a high severity with a CVSS score of 9.8, indicating it can have a critical impact. Since the Source stage can be bypassed without authentication or user interaction, an attacker could gain unauthorized access, leading to full compromise of confidentiality, integrity, and availability of the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade authentik to one of the patched versions: 2025.12.6, 2026.2.4, or 2026.5.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart