CVE-2026-49443: authentik Account Takeover Vulnerability – Patch Guidance
A critical authentication flaw in authentik—an open-source identity provider—allows attackers to hijack user accounts across the platform. If an attacker has the ability to modify a source connection (such as an external authentication provider) and controls an account in one of those sources, they can log in as any other user in the system. This is a privilege escalation vulnerability requiring two preconditions: administrative access to source configuration and an existing account in a connected source. The flaw affects authentik versions prior to 2025.12.6, 2026.2.4, and 2026.5.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-287
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper authentication validation in how authentik handles source connections and user login flows. When a user authenticates through a connected external source (SAML, OIDC, LDAP, etc.), authentik verifies credentials against that source but fails to properly validate that the authenticated identity maps to the user account being accessed. An attacker who can edit source connection settings and who maintains a valid account in one of those sources can manipulate the authentication flow to bypass account ownership verification, allowing unauthorized account takeover. This is classified as an authentication bypass vulnerability (CWE-287) rather than a simple misconfiguration, indicating a logic flaw in the core authentication pathway.
Business impact
For organizations using authentik as their identity provider, this vulnerability creates a direct pathway to user account compromise at scale. An insider threat or compromised administrator with source configuration privileges combined with any valid employee account becomes a vector for lateral movement and privilege escalation. All downstream applications relying on authentik for authentication inherit the compromise. Risk is highest in environments with sensitive systems (HR, finance, infrastructure) integrated via authentik, and for organizations with stricter separation of duties where source administrators may not overlap with the sensitive applications they protect. Organizations should treat this as a potential business continuity and data security incident if exploitation occurred before patching.
Affected systems
The vulnerability affects authentik deployments running versions prior to 2025.12.6 (latest in 2025.12 branch), 2026.2.4 (latest in 2026.2 branch), and 2026.5.1 (latest in 2026.5 branch). Both self-hosted and cloud-managed authentik instances are affected if running vulnerable versions. Any authentik deployment with at least one external source connection (SAML, OIDC, LDAP, etc.) and multiple user accounts is potentially exploitable. Organizations should audit their installed version and branch against the patched versions listed.
Exploitability
Exploitability requires two preconditions: (1) an attacker must have administrative access to modify source connections—typically reserved for identity team leads or platform operators—and (2) the attacker must possess or create a valid account in one of the connected external sources. The CVSS vector (AC:L, PR:L, UI:N) reflects low attack complexity and low privilege requirement, but the dual precondition reduces practical attack surface to insider threats or compromised administrative credentials. No public exploit has been reported, and the vulnerability is not yet tracked in CISA's Known Exploited Vulnerabilities catalog. However, the high CVSS (8.8) and account takeover impact suggest it should be prioritized as if exploitation were actively being researched.
Remediation
Patch immediately to authentik version 2025.12.6, 2026.2.4, or 2026.5.1 depending on your currently deployed branch. Consult goauthentik's release notes and your deployment method (Docker, Kubernetes, system package) for upgrade procedures. After patching, conduct a security audit of all source connection configurations and review access logs for anomalous authentication activity during the vulnerability window. Consider restricting source configuration permissions to a minimal set of trusted administrators until patching is complete.
Patch guidance
Upgrade to version 2025.12.6 if you are on the 2025.12 branch, 2026.2.4 if on the 2026.2 branch, or 2026.5.1 if on the 2026.5 branch. Review the goauthentik release notes for any breaking changes or configuration requirements associated with the patch. Most deployments should be able to upgrade with minimal downtime; however, test the update in a non-production environment first if running mission-critical authentication infrastructure. After upgrade, verify that all external source connections continue to function as expected and that users can authenticate normally.
Detection guidance
Monitor authentik logs for failed authentication attempts followed by successful cross-account logins, particularly those accessing accounts with elevated privileges. Look for source configuration changes made by administrative accounts not normally associated with identity team operations. If available, enable audit logging for source connection modifications and correlate them with subsequent authentication events. Search for login sessions where the authenticated source user differs from the account being accessed—this indicates a potential exploitation attempt. Review administrative access logs to identify compromised or unusual admin credentials prior to any observed account takeovers.
Why prioritize this
This vulnerability scores CVSS 8.8 (HIGH) due to high confidentiality, integrity, and availability impact; low attack complexity; and low privilege barrier. Account takeover in an identity provider represents a critical security event because it compromises the trust foundation of all downstream applications. While exploitation requires insider access or compromised admin credentials, identity infrastructure breaches are particularly damaging and harder to detect than application-level compromises. Organizations should treat this as an emergency patch priority comparable to zero-day vulnerabilities, even though it requires privileged access.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the combination of network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). While the privilege requirement moderates the score below 9.0, the consequences of account takeover in a centralized identity provider—the ability to impersonate any user—justify the HIGH severity rating. The score appropriately balances the insider-threat nature of the attack against the catastrophic impact if execution succeeds.
Frequently asked questions
Does this vulnerability allow unauthenticated account takeover?
No. The attacker must have two things: administrative ability to modify source connections and a valid account in one of those external sources. This means the vulnerability is most dangerous as an insider threat or in cases where an admin account has been compromised. It is not a worm-like vector affecting users who cannot change configuration.
Which version of authentik am I running, and how do I check?
Check your authentik deployment logs or the admin dashboard (typically at /admin) to find the version number. It is also displayed in the Docker image tag if you deployed via container. Cross-reference against the patched versions (2025.12.6, 2026.2.4, 2026.5.1) to determine if you are vulnerable.
Can I restrict source configuration access to mitigate this vulnerability before patching?
Yes. If your organization allows it, temporarily limiting source configuration permissions to a very small number of highly trusted admins reduces the attack surface while patches are being planned and tested. This is not a substitute for patching but can reduce immediate risk in environments where patching requires change control or testing windows.
Will patching this vulnerability require a restart of authentik?
Most updates to authentik can be applied with a restart or rolling update depending on your deployment model (Docker, Kubernetes, system package). Verify against the specific release notes for version 2025.12.6, 2026.2.4, or 2026.5.1 before upgrading. Plan for brief downtime if you are upgrading manually.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should independently verify patch availability, test updates in non-production environments, and consult vendor advisories before deploying. SEC.co assumes no liability for actions taken based on this analysis. Always refer to the official goauthentik repository and release notes as the authoritative source for patch versions and deployment instructions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend