CVE-2026-41569: authentik WS-Federation URL Validation Bypass Leading to Credential Theft
authentik, an open-source identity provider, contains a URL validation flaw in its WS-Federation provider that allows attackers to redirect users' login credentials to attacker-controlled domains. The vulnerability stems from incomplete validation of the wreply parameter—a redirect URL used after authentication. An attacker can craft a malicious login link where the wreply parameter points to a lookalike domain (for example, https://portal.example.com.evil.tld/) that bypasses the validation check, tricking users into sending their signed authentication response to the attacker instead of the legitimate application. This affects authentik versions prior to 2026.2.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The WS-Federation provider in authentik performs URL validation on the wreply parameter using a simple string prefix check rather than proper URL parsing and comparison. This allows an attacker to supply a wreply value on a different origin that passes the validation (e.g., by prepending the legitimate domain as a substring within a malicious URL). When a victim authenticates, their browser receives a POST request containing a signed WS-Federation token, which is then directed to the attacker's infrastructure instead of the intended destination. This is a classic open redirect vulnerability at the authentication layer, enabling credential theft and session hijacking. The vulnerability is classified under CWE-601 (URL Redirection to Untrusted Site).
Business impact
This vulnerability exposes organizations using authentik to credential harvesting and session compromise. An attacker can obtain signed authentication tokens for any user who clicks a crafted login link, potentially gaining unauthorized access to downstream applications that trust the authentik token. This is particularly critical in environments where authentik serves as a centralized identity provider for multiple internal or customer-facing applications. The compromise of authentication credentials undermines the security posture of the entire identity ecosystem relying on that authentik instance.
Affected systems
The vulnerability affects authentik versions prior to 2026.2.3. Organizations running earlier versions of authentik, particularly those exposing the WS-Federation provider to untrusted users or the public internet, are at risk. The vulnerability applies to any deployment model—on-premises, cloud-hosted, or containerized—as long as the version is unpatched.
Exploitability
The vulnerability requires user interaction: a victim must click a malicious login link supplied by the attacker. However, the attack surface is broad because the attacker can send this link via email, messaging, or social engineering. No special privileges are required to craft the malicious URL, and the exploit is straightforward to construct. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects network-based exploitation with low attack complexity but mandatory user interaction. Once the user clicks, the token capture is automatic.
Remediation
Upgrade authentik to version 2026.2.3 or later. This version includes corrected URL parsing and validation logic for the wreply parameter. Organizations should prioritize this upgrade in their patching schedule, especially for instances used in production environments or accessible from untrusted networks. Review any authentication logs for suspicious wreply values or unusual redirect destinations post-compromise.
Patch guidance
Apply the authentik security update to version 2026.2.3 or newer. Verify the upgrade with the vendor's release notes and changelog to confirm the WS-Federation validation fix is included. For containerized deployments, pull the latest patched image tag; for binary or package-based installations, follow the vendor's standard update procedures. Test in a non-production environment first to ensure no compatibility issues with dependent applications before rolling out to production.
Detection guidance
Monitor authentication logs for wreply parameters that contain domain mismatches or that point to external URLs outside your organization's known domain list. Look for authentication tokens being exchanged with unexpected origins. Network-level detection can identify outbound HTTPS POST requests from your authentik instance to unfamiliar domains immediately after authentication events. Additionally, audit firewall and proxy logs for unauthenticated HTTP(S) connections from users' browsers to attacker infrastructure around the time they received authentication responses. Review WS-Federation metadata and configuration to ensure wreply validation is functioning as expected post-patch.
Why prioritize this
Although the CVSS score is MEDIUM (6.1), the vulnerability directly compromises the authentication layer of an identity provider, making it a high-priority fix despite the user interaction requirement. Organizations should treat this as urgent because successful exploitation grants attackers signed authentication credentials that can be replayed against downstream applications. The availability of an authenticated patch and the well-understood attack pattern make remediation straightforward and should be elevated in the patch queue.
Risk score, explained
The CVSS 3.1 score of 6.1 (MEDIUM) reflects the network-accessible nature of the vulnerability (AV:N), the low complexity of exploitation (AC:L), and the lack of required privileges (PR:N). The score is moderated by the requirement for user interaction (UI:R) and the changed security scope (S:C). While the confidentiality and integrity impacts are rated as low in the vector, the real-world impact—credential compromise at the identity layer—is strategically significant and warrants prioritization above the nominal CVSS rating.
Frequently asked questions
What is WS-Federation and why does this vulnerability matter?
WS-Federation is a protocol for delegated identity and access management, commonly used in enterprise environments for single sign-on (SSO). The wreply parameter specifies where the identity provider should redirect the user after authentication. A flaw in validating this redirect allows attackers to intercept signed authentication tokens, defeating the entire purpose of a trusted identity provider.
How can I tell if my authentik instance has been exploited?
Review your authentik authentication logs for unusual wreply parameter values, particularly those containing external domains or IP addresses. Check downstream application logs for suspicious login sessions from users who may have clicked malicious links. If your instance is exposed to the internet, correlate failed or anomalous login patterns with any phishing or social engineering campaigns you may have detected.
Do I need to rotate user passwords if I'm running an unpatched version?
If you suspect your unpatched instance has been accessed by attackers, consider it compromised. While password rotation alone will not invalidate already-captured signed tokens (which are time-bound but may still be valid for a window), it is a reasonable precaution. More importantly, revoke any active sessions and tokens, monitor downstream applications for unauthorized access, and upgrade to 2026.2.3 immediately.
Is this vulnerability exploitable if I restrict WS-Federation access to internal networks only?
Network segmentation reduces the attack surface by preventing attackers from reaching your authentik instance to craft phishing links. However, if internal users can be socially engineered to click malicious links, or if attackers gain internal network access through other means, the vulnerability remains exploitable. Patching is still essential to eliminate the underlying flaw.
This analysis is provided for informational purposes based on publicly available vulnerability data and the vendor's advisory. Organizations should verify all technical details, affected version numbers, and patch availability directly with the authentik project and their own security teams. The risk assessment and prioritization guidance reflect general security best practices and should be adapted to your organization's specific environment, threat model, and risk tolerance. SEC.co assumes no liability for actions taken or not taken based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-40961HIGHApache Airflow Open Redirect Vulnerability (CVSS 7.2)
- CVE-2026-41577HIGHAuthentik SAML Assertion Validation Bypass (CWE-345)
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)