CVE-2026-49443: authentik Auth Bypass Vulnerability

CVE-2026-49443 Overview

CVE-2026-49443 is an authentication bypass vulnerability in authentik, an open-source identity provider. An attacker with the ability to modify a source connection and an account in one of the configured sources can log into any account on the affected instance. The flaw is tracked under CWE-287: Improper Authentication and affects versions prior to 2025.12.6, 2026.2.4, and 2026.5.1. The maintainers have released patched versions addressing the issue.

Critical Impact

An authenticated attacker with source-modification privileges can authenticate as any user, including administrators, by abusing federated source connection logic.

Affected Products

• authentik versions prior to 2025.12.6 (2025.12.x branch)
• authentik versions prior to 2026.2.4 (2026.2.x branch)
• authentik versions prior to 2026.5.1 (2026.5.x branch)

Discovery Timeline

• 2026-06-02 - CVE-2026-49443 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-49443

Vulnerability Analysis

The vulnerability lives in how authentik links externally federated identities from configured sources to internal user accounts. When an attacker can modify a source connection and controls an account in one of the configured sources, the linking logic fails to enforce a trustworthy binding between the source identity and the target internal account. The result is that the attacker can pivot through the federated source and complete authentication as an arbitrary user.

Because authentik is commonly deployed as a single sign-on (SSO) gateway, the bypass extends across every downstream application protected by the identity provider. Successful exploitation yields full account takeover, including administrative accounts when an admin account is targeted. The CWE-287 classification reflects an authentication mechanism that accepts attacker-influenced data as proof of identity.

Root Cause

The root cause is improper validation during source-to-user linkage. The flow permits an actor with write access to a source connection and a controlled identity in that source to alter the linkage so that the controlled source identity resolves to a victim user. Authentication then succeeds against the victim account without the victim's credentials or consent.

Attack Vector

The attack is conducted over the network and requires low privileges — specifically, the ability to change a source connection within authentik plus an account in one of the configured sources. No user interaction is required. The attacker first manipulates the source configuration or linkage, authenticates through the federated source using their controlled identity, and is granted a session bound to the chosen victim account.

No public proof-of-concept exploit is available at publication time. Refer to the GitHub Security Advisory GHSA-wr38-7xg8-fqxr for vendor-provided technical detail.

Detection Methods for CVE-2026-49443

Indicators of Compromise

• Unexpected modifications to source connection objects in authentik audit logs, particularly to OAuth, SAML, or LDAP source configurations.
• Successful logins to privileged accounts immediately preceded by source configuration changes performed by non-administrative operators.
• New or altered user-to-source identity bindings that do not correspond to legitimate provisioning activity.

Detection Strategies

• Review authentik audit events for model_updated actions against source objects and correlate with subsequent successful authentication events for high-value accounts.
• Alert on logins where the authenticating source identity was created, modified, or relinked within a short window prior to the login.
• Hunt for sessions where the federated source subject identifier does not match the historical binding for the target user account.

Monitoring Recommendations

• Forward authentik audit and event logs to a centralized SIEM and retain them for incident reconstruction.
• Monitor administrative API endpoints under /api/v3/sources/ for unauthorized modifications.
• Track privileged role assignments and password-less authentications originating from federated sources for anomalous patterns.

How to Mitigate CVE-2026-49443

Immediate Actions Required

• Upgrade authentik to 2025.12.6, 2026.2.4, or 2026.5.1 depending on the deployed release branch.
• Audit which operators hold permissions to modify source connections and revoke access from accounts that do not require it.
• Review recent source configuration changes and recent administrative logins for signs of exploitation prior to patching.

Patch Information

The authentik maintainers have released fixed versions 2025.12.6, 2026.2.4, and 2026.5.1. Patch details and remediation guidance are provided in the GitHub Security Advisory GHSA-wr38-7xg8-fqxr.

Workarounds

• Restrict the authentik Admins group and any custom roles that grant write access to source objects until the upgrade is complete.
• Temporarily disable non-essential federated sources to reduce the available attack surface.
• Require multi-factor authentication on administrative accounts so that a source-based bypass alone does not yield full takeover of privileged sessions.