CVE-2026-49448
Analyzed
Analyzed - Analysis Complete
Authentication Bypass in Authentik via Empty POST
Vulnerability report for CVE-2026-49448, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-02
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.12.6 (exc) |
| goauthentik | authentik | From 2026.2.0 (inc) to 2026.2.4 (exc) |
| goauthentik | authentik | From 2026.5.0 (inc) to 2026.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |