CVE-2026-47201

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

History

04 Jun 2026, 20:14

Type	Values Removed	Values Added
CPE		cpe:2.3:a:goauthentik:authentik::::::::
References	~~() https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3 -~~	() https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3 - Mitigation, Vendor Advisory
CWE		CWE-347
First Time		Goauthentik Goauthentik authentik

02 Jun 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-02 21:16

Updated : 2026-06-04 20:14

NVD link : CVE-2026-47201

Mitre link : CVE-2026-47201

CVE.ORG link : CVE-2026-47201

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-20

Improper Input Validation

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2026-47201", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2026-06-02T21:16:27.940", "references": [{"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1."}], "lastModified": "2026-06-04T20:14:17.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2248E771-C089-49F8-B370-D3E089534A60", "versionEndExcluding": "2025.12.6"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2723A03F-6FA5-40D6-9D67-320CBC6538C4", "versionEndExcluding": "2026.2.4", "versionStartIncluding": "2026.2.0"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D092DE78-A8F3-4569-80F8-0289DF27CB2D", "versionEndExcluding": "2026.5.1", "versionStartIncluding": "2026.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}