Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8
Scores
CVSS v3
9.8
EPSS
0.0031
EPSS Percentile
22.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (3)
goauthentik/authentik
< 2025.12.6 (2 CPE variants)
goauthentik/authentik
< 2026.2.4
goauthentik/authentik
< 2026.5.1
Published
Jun 02, 2026
Tracked Since
Jun 03, 2026