CVE-2026-41577: Authentik SAML Assertion Validation Bypass (CWE-345)
Authentik, an open-source identity provider, contains a flaw in how it processes SAML authentication assertions. The software fails to validate time-based and audience restrictions on these assertions, meaning an attacker could replay old, expired authentication tokens or use tokens intended for a different service. This could allow unauthorized access to systems relying on authentik for authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-345
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The SAML ResponseProcessor.parse() method in authentik versions prior to 2025.12.5 and 2026.2.3 does not enforce validation of the Conditions element within SAML assertions. Specifically, the NotBefore and NotOnOrAfter temporal constraints, as well as AudienceRestriction elements, are ignored during processing. This permits the acceptance of assertions beyond their validity window and assertions addressed to unintended service providers, contrary to the SAML 2.0 specification. The vulnerability is rooted in insufficient input validation during assertion processing (CWE-345: Insufficient Verification of Data Authenticity).
Business impact
Organizations deploying authentik as their identity provider face elevated risk of authentication bypass. An attacker able to obtain a valid SAML assertion—whether expired or intended for a different application—could reuse it to gain unauthorized access. The scope of impact depends on the sensitivity of protected applications and the attacker's ability to capture assertions. In environments where authentik serves multiple service providers, the risk multiplies, as assertions meant for one application could be weaponized against others.
Affected systems
Authentik versions prior to 2025.12.5 (in the 2025.12 release series) and prior to 2026.2.3 (in the 2026.2 release series) are affected. Organizations running authentik should verify their deployed version against these release tags. Versions 2025.12.5, 2026.2.3, and later are patched.
Exploitability
Exploitation requires network access to a service that accepts SAML assertions from the affected authentik instance. No user interaction or special privileges are required once an assertion is obtained. The attacker must either intercept a legitimate assertion or recover one from logs or cache. The base CVSS vector (7.5, HIGH) reflects the combination of low attack complexity and high integrity impact, though the attack does not affect confidentiality or availability directly.
Remediation
Upgrade authentik to version 2025.12.5 or later if running the 2025.12 series, or to version 2026.2.3 or later if running the 2026.2 series. Verify the patch by checking the release notes and confirming the ResponseProcessor now properly validates Conditions. No interim workarounds are documented; patching is the primary mitigation.
Patch guidance
Apply the patched versions 2025.12.5 or 2026.2.3 as appropriate to your deployment. Review your authentik deployment architecture before patching to minimize service interruption. Test the patch in a non-production environment to confirm compatibility with your connected service providers. After patching, audit your SAML assertion logs to detect any suspicious replay activity during the vulnerability window.
Detection guidance
Monitor SAML assertion logs for patterns indicative of replay attacks: repeated use of the same assertion ID, assertions being accepted after their NotOnOrAfter timestamp, or assertions with AudienceRestriction values that do not match the receiving service provider. Implement alerting on authentication failures followed by successes with identical assertion identifiers. Review authentik access logs for anomalous authentication patterns around the discovery date (2026-06-02).
Why prioritize this
This vulnerability should be prioritized for patching due to its direct impact on authentication integrity. A HIGH CVSS score coupled with low attack complexity reflects the practical risk. Organizations with multi-tenant or multi-service-provider SAML deployments face compounded risk. Although the KEV program has not flagged this issue, the authentication bypass vector and public disclosure warrant urgent attention.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by: (1) network-accessible attack vector with no prerequisites (AV:N/PR:N); (2) low attack complexity (AC:L); (3) high integrity impact (I:H), reflecting the ability to bypass authentication controls; and (4) no direct confidentiality or availability impact in the base scenario (C:N/A:N). The unchanged scope (S:U) indicates the impact is limited to the authorization logic of the affected component, not broader system compromise.
Frequently asked questions
Does this vulnerability allow an attacker to steal passwords or user credentials?
No. This vulnerability does not compromise password storage or credential capture. It allows reuse of existing SAML assertions that have already been issued. An attacker must obtain a valid assertion through interception, logs, or cache before they can replay it.
What is the practical attack scenario?
An attacker captures or recovers a SAML assertion from legitimate traffic (e.g., from logs, browser cache, or network sniffing). They then replay that assertion to authenticate to a service provider, even if the assertion has expired or was originally intended for a different service provider. For example, an assertion meant for HR portal A could be replayed against Finance portal B.
Are only self-hosted authentik deployments at risk?
Yes, this vulnerability affects self-hosted or on-premises authentik instances. If you are using authentik as an identity provider in your infrastructure, you should patch immediately. SaaS-hosted authentik services managed by goauthentik will be patched by the vendor.
Do I need to rotate user passwords after patching?
No password rotation is necessary. The vulnerability does not compromise password storage. However, after patching, review your authentication logs during the vulnerability window for signs of unauthorized assertion replay or suspicious authentication patterns. Consider reviewing and revoking active sessions if unusual activity is detected.
This analysis is based on publicly disclosed information about CVE-2026-41577 current as of the provided source data. Security details, patches, and timelines may evolve. Verify all patch versions, release dates, and compatibility against the official goauthentik project repository and security advisories before deployment. This explainer does not constitute professional security advice; consult your security team and vendor documentation for your specific deployment context. No exploit code or weaponization steps are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2022-4992HIGHDräger Infinity M540 Patient Monitor Network Message Vulnerability
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction