CVE-2026-25922: authentik SAML Auth Bypass Vulnerability

CVE-2026-25922 Overview

CVE-2026-25922 is an authentication bypass vulnerability affecting authentik, an open-source identity provider. The vulnerability allows attackers to inject a malicious SAML assertion before a legitimately signed assertion when specific SAML Source configurations are in use. When exploited, authentik processes the attacker's injected assertion instead of the legitimate signed one, potentially enabling unauthorized access to protected resources.

Critical Impact
This vulnerability enables attackers to bypass SAML authentication controls, potentially gaining unauthorized access to applications and services protected by authentik. Organizations using affected SAML configurations may be exposed to identity spoofing and unauthorized account access.

Affected Products

authentik versions prior to 2025.8.6
authentik versions prior to 2025.10.4
authentik versions prior to 2025.12.4

Discovery Timeline

February 12, 2026 - CVE-2026-25922 published to NVD
February 12, 2026 - Last updated in NVD database

Technical Details for CVE-2026-25922

Vulnerability Analysis

This vulnerability stems from improper authentication handling (CWE-287) in authentik's SAML Source processing logic. The flaw specifically manifests when a SAML Source is configured with the "Verify Assertion Signature" option enabled under Verification Certificate, but without the "Verify Response Signature" option enabled, or when the Encryption Certificate setting under Advanced Protocol settings is not configured.

Under these specific configurations, the SAML processing logic fails to properly validate the order and integrity of assertions within a SAML response. An attacker can craft a malicious SAML response that includes an unsigned assertion positioned before the legitimately signed assertion. Due to the processing order vulnerability, authentik extracts and uses the first (malicious) assertion while ignoring the subsequent signed assertion that would normally be validated.

The network-accessible nature of this vulnerability combined with the low complexity of exploitation makes it particularly concerning for organizations relying on authentik for identity federation.

Root Cause

The root cause of CVE-2026-25922 is improper authentication validation in the SAML assertion processing pipeline. The vulnerability exists because the application does not adequately verify that the assertion being processed is the same assertion that was cryptographically signed. When response signature verification is disabled and only assertion signature verification is enabled, the application becomes susceptible to assertion injection attacks where unsigned assertions can be prepended to the SAML response.

Attack Vector

The attack vector for this vulnerability is network-based and requires the attacker to have low-privilege access to interact with the SAML authentication flow. The attack proceeds as follows:

The attacker intercepts or crafts a SAML response destined for a vulnerable authentik instance
The attacker prepends a malicious unsigned SAML assertion containing arbitrary identity claims before the legitimate signed assertion
The modified SAML response is submitted to the authentik SAML endpoint
Due to the processing order flaw, authentik extracts the first (malicious) assertion
Since assertion signature verification checks the signed assertion but the application uses the unsigned one, the attack succeeds
The attacker gains access as the identity specified in the injected assertion

The vulnerability exploitation does not require user interaction, allowing attackers to potentially automate attacks against vulnerable deployments. For detailed technical information, refer to the GitHub Security Advisory GHSA-jh35-c4cc-wjm4.

Detection Methods for CVE-2026-25922

Indicators of Compromise

Unusual SAML authentication events with mismatched assertion counts or duplicate assertions in logs
Authentication successes for users that cannot be correlated with legitimate identity provider activity
SAML responses containing multiple assertion elements where only one was expected
Anomalous user session creation patterns, particularly for privileged accounts

Detection Strategies

Monitor authentik logs for SAML authentication anomalies, including responses with multiple assertions
Implement network-level inspection for SAML traffic with unusual assertion structures
Audit successful authentications against identity provider logs to identify sessions not initiated by legitimate sources
Deploy SentinelOne to detect suspicious authentication patterns and identity-based threats

Monitoring Recommendations

Enable verbose logging for SAML Source authentication events in authentik
Configure alerting for authentication events from SAML Sources that lack encryption certificates
Review SAML Source configurations to identify instances vulnerable to this attack vector
Implement anomaly detection for user login patterns, particularly for administrative accounts

How to Mitigate CVE-2026-25922

Immediate Actions Required

Upgrade authentik to version 2025.8.6, 2025.10.4, or 2025.12.4 or later immediately
Review all SAML Source configurations and enable both "Verify Assertion Signature" and "Verify Response Signature" options
Configure Encryption Certificates under Advanced Protocol settings for all SAML Sources
Audit recent authentication logs for signs of exploitation prior to patching

Patch Information

The authentik development team has released security patches addressing this vulnerability across multiple release branches. Organizations should upgrade to one of the following fixed versions based on their current deployment:

For complete details on the security issue and remediation guidance, refer to the GitHub Security Advisory GHSA-jh35-c4cc-wjm4.

Workarounds

Enable both "Verify Assertion Signature" and "Verify Response Signature" options on all SAML Sources
Configure Encryption Certificates in Advanced Protocol settings for SAML Sources to prevent assertion manipulation
Consider temporarily disabling vulnerable SAML Sources until patches can be applied
Implement additional network-level controls to restrict access to SAML authentication endpoints

bash

# Configuration example
# Review and update SAML Source settings in authentik admin interface:
# 1. Navigate to Directory -> Federation & Social Login -> Sources
# 2. Edit each SAML Source
# 3. Under "Verification Certificate" section, enable "Verify Response Signature"
# 4. Under "Advanced Protocol settings", configure "Encryption Certificate"
# 5. Save changes and test SAML authentication flow

CVE-2026-25922 Overview

Critical Impact
This vulnerability enables attackers to bypass SAML authentication controls, potentially gaining unauthorized access to applications and services protected by authentik. Organizations using affected SAML configurations may be exposed to identity spoofing and unauthorized account access.

Affected Products

authentik versions prior to 2025.8.6
authentik versions prior to 2025.10.4
authentik versions prior to 2025.12.4

Discovery Timeline

February 12, 2026 - CVE-2026-25922 published to NVD
February 12, 2026 - Last updated in NVD database

Technical Details for CVE-2026-25922

Vulnerability Analysis

The network-accessible nature of this vulnerability combined with the low complexity of exploitation makes it particularly concerning for organizations relying on authentik for identity federation.

Root Cause

Attack Vector

The attack vector for this vulnerability is network-based and requires the attacker to have low-privilege access to interact with the SAML authentication flow. The attack proceeds as follows:

The attacker intercepts or crafts a SAML response destined for a vulnerable authentik instance
The attacker prepends a malicious unsigned SAML assertion containing arbitrary identity claims before the legitimate signed assertion
The modified SAML response is submitted to the authentik SAML endpoint
Due to the processing order flaw, authentik extracts the first (malicious) assertion
Since assertion signature verification checks the signed assertion but the application uses the unsigned one, the attack succeeds
The attacker gains access as the identity specified in the injected assertion

Detection Methods for CVE-2026-25922

Indicators of Compromise

Unusual SAML authentication events with mismatched assertion counts or duplicate assertions in logs
Authentication successes for users that cannot be correlated with legitimate identity provider activity
SAML responses containing multiple assertion elements where only one was expected
Anomalous user session creation patterns, particularly for privileged accounts

Detection Strategies

Monitor authentik logs for SAML authentication anomalies, including responses with multiple assertions
Implement network-level inspection for SAML traffic with unusual assertion structures
Audit successful authentications against identity provider logs to identify sessions not initiated by legitimate sources
Deploy SentinelOne to detect suspicious authentication patterns and identity-based threats

Monitoring Recommendations

Enable verbose logging for SAML Source authentication events in authentik
Configure alerting for authentication events from SAML Sources that lack encryption certificates
Review SAML Source configurations to identify instances vulnerable to this attack vector
Implement anomaly detection for user login patterns, particularly for administrative accounts

How to Mitigate CVE-2026-25922

Immediate Actions Required

Upgrade authentik to version 2025.8.6, 2025.10.4, or 2025.12.4 or later immediately
Review all SAML Source configurations and enable both "Verify Assertion Signature" and "Verify Response Signature" options
Configure Encryption Certificates under Advanced Protocol settings for all SAML Sources
Audit recent authentication logs for signs of exploitation prior to patching

Patch Information

For complete details on the security issue and remediation guidance, refer to the GitHub Security Advisory GHSA-jh35-c4cc-wjm4.

Workarounds

Enable both "Verify Assertion Signature" and "Verify Response Signature" options on all SAML Sources
Configure Encryption Certificates in Advanced Protocol settings for SAML Sources to prevent assertion manipulation
Consider temporarily disabling vulnerable SAML Sources until patches can be applied
Implement additional network-level controls to restrict access to SAML authentication endpoints

bash

# Configuration example
# Review and update SAML Source settings in authentik admin interface:
# 1. Navigate to Directory -> Federation & Social Login -> Sources
# 2. Edit each SAML Source
# 3. Under "Verification Certificate" section, enable "Verify Response Signature"
# 4. Under "Advanced Protocol settings", configure "Encryption Certificate"
# 5. Save changes and test SAML authentication flow

CVE-2026-25922: authentik SAML Auth Bypass Vulnerability

CVE-2026-25922 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25922

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25922

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25922

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-25922: authentik SAML Auth Bypass Vulnerability

CVE-2026-25922 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25922

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25922

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25922

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform