By vendor

Goauthentik vulnerabilities

Known CVEs affecting Goauthentik products, prioritized by severity, with SEC.co remediation and detection guidance.

2 published vulnerabilities

  • CVE-2026-41577HIGH 7.5

    Authentik, an open-source identity provider, contains a flaw in how it processes SAML authentication assertions. The software fails to validate time-based and audience restrictions on these assertions, meaning an attacker could replay old, expired authentication tokens or use tokens intended for a different service. This could allow unauthorized access to systems relying on authentik for authentication.

  • CVE-2026-41569MEDIUM 6.1

    authentik, an open-source identity provider, contains a URL validation flaw in its WS-Federation provider that allows attackers to redirect users' login credentials to attacker-controlled domains. The vulnerability stems from incomplete validation of the wreply parameter—a redirect URL used after authentication. An attacker can craft a malicious login link where the wreply parameter points to a lookalike domain (for example, https://portal.example.com.evil.tld/) that bypasses the validation check, tricking users into sending their signed authentication response to the attacker instead of the legitimate application. This affects authentik versions prior to 2026.2.3.