CVE-2026-25922

High CVSS: 8.8

authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

Vendor

Goauthentik

Product

Authentik

CWE

CWE-287

Yayın Tarihi

2026-02-12 20:16:10

Güncelleme

2026-02-18 20:59:27

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Authentik HIGH Goauthentik 2026

Referanslar

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4 https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4 https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6 https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4

Benzer Kayıtlar

Critical

CVE-2026-25227

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using de…

High

CVE-2026-25748

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible…

Medium

CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client…

Medium

CVE-2025-64708

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions,…

High

CVE-2025-53942

authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set o…

Medium

CVE-2025-52553

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi…