CVE-2026-41569 Overview
CVE-2026-41569 is an open redirect vulnerability in authentik, an open-source identity provider. The flaw exists in the WS-Federation provider, which validates the user-supplied wreply parameter using a raw string prefix check instead of proper URL parsing. An attacker who crafts a malicious login link can supply a wreply value pointing to a different origin that bypasses the check, such as https://portal.example.com.evil.tld/. The victim's browser then POSTs the signed WS-Federation login response to attacker-controlled infrastructure. The vulnerability affects all versions of authentik prior to 2026.2.3 and is classified under [CWE-601] (URL Redirection to Untrusted Site).
Critical Impact
Attackers can intercept signed WS-Federation login responses by tricking victims into clicking crafted login links, exposing authentication tokens to attacker-controlled endpoints.
Affected Products
- authentik identity provider versions prior to 2026.2.3
- Deployments using the WS-Federation provider for federated authentication
- Self-hosted and managed authentik instances exposing WS-Federation login flows
Discovery Timeline
- 2026-06-02 - CVE CVE-2026-41569 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-41569
Vulnerability Analysis
The vulnerability resides in authentik's WS-Federation provider, which handles federated single sign-on via the WS-Federation protocol. When a relying party initiates a login flow, the wreply parameter specifies where the signed authentication response should be POSTed after successful authentication. Proper validation requires parsing the URL and comparing the origin, scheme, and host components against an allowlist.
Instead, authentik performs a raw string prefix check on the wreply value. This naive comparison treats any string starting with an allowed value as valid, ignoring URL semantics. An attacker registers a domain that begins with the expected hostname as a subdomain label, then crafts a wreply parameter targeting that domain. The check passes, and authentik delivers the signed login response to the attacker.
Root Cause
The root cause is improper input validation of redirect targets [CWE-601]. The WS-Federation provider treats wreply as an opaque string rather than a URL with structural components. A correct implementation must parse the URL using a standards-compliant parser and compare normalized scheme, host, and port values against the configured allowed return URLs.
Attack Vector
The attack requires no authentication and no privileges on the authentik instance. An attacker constructs a phishing link that points to a legitimate authentik login endpoint but includes a crafted wreply value such as https://portal.example.com.evil.tld/. The string prefix https://portal.example.com matches the allowed value, so authentik accepts the parameter. After the victim authenticates, their browser auto-submits a form POST containing the signed WS-Federation token to the attacker's domain. The attacker captures the token and can replay it against the legitimate relying party to impersonate the victim.
The vulnerability is described in prose because no public proof-of-concept code has been released. Refer to the GitHub Security Advisory for vendor details.
Detection Methods for CVE-2026-41569
Indicators of Compromise
- Unusual outbound POST requests from user browsers to domains resembling legitimate relying parties but with appended suffixes (e.g., portal.example.com.evil.tld)
- WS-Federation login flows where the wreply parameter contains hostnames with unexpected trailing labels
- Login link distribution through phishing emails referencing the authentik login endpoint
Detection Strategies
- Inspect web server and reverse proxy logs for WS-Federation requests containing suspicious wreply values that extend allowed hostnames
- Correlate authentication events in authentik logs against the destination origin of the resulting POST to identify mismatches
- Apply DNS monitoring for newly registered domains that include trusted relying party hostnames as subdomain prefixes
Monitoring Recommendations
- Enable verbose request logging on the authentik WS-Federation endpoint and forward to a centralized log platform
- Alert on WS-Federation flows where the wreply host does not exactly match an approved relying party FQDN
- Review identity provider audit trails for repeated authentication attempts originating from a single user across short time windows
How to Mitigate CVE-2026-41569
Immediate Actions Required
- Upgrade authentik to version 2026.2.3 or later, which contains the patched wreply validation logic
- Audit configured WS-Federation relying parties and remove any that are no longer in active use
- Notify users to avoid clicking authentication links from untrusted sources until the upgrade is complete
Patch Information
The authentik maintainers fixed this issue in version 2026.2.3. The patch replaces the prefix string check with proper URL parsing and origin comparison. Details are available in the GitHub Security Advisory GHSA-995q-72cw-cfw3.
Workarounds
- Restrict access to the authentik WS-Federation endpoint to trusted network segments where feasible
- Deploy a reverse proxy or web application firewall rule that validates the wreply parameter against an exact allowlist of relying party origins
- Disable the WS-Federation provider entirely if it is not required, and rely on alternative federation protocols such as OIDC or SAML
# Example upgrade for Docker Compose deployments
export AUTHENTIK_TAG=2026.2.3
docker compose pull
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
