Description
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Published: 2026-02-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is a context key injection in the PropertyMapping test endpoint of authentik. A user with delegated permissions to view property mapping or expression policy can supply arbitrary Python code through the context key, which the server evaluates during the preview. This results in remote code execution inside the authentik container, providing the attacker full control over the service process.

Affected Systems

The affected vendor is goauthentik:authentik. Versions from 2021.3.1 up through those just before 2025.8.6, 2025.10.4, and 2025.12.4 contain the vulnerability. The releases 2025.8.6, 2025.10.4, and 2025.12.4 include the fix and are not affected.

Risk and Exploitability

The CVSS score of 9.1 marks this as a very high impact flaw, but the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker requires authenticated access with the specific view permissions, so the attack vector is likely internal or authenticated remote; the flaw does not allow unauthenticated network exploitation. Once the test endpoint is invoked by a privileged user, the injected code runs with the privileges of the authentik process.

Generated by OpenCVE AI on April 18, 2026 at 12:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade goauthentik:authentik to version 2025.8.6 or later, which includes the patch for the context key injection.
  • If an upgrade is not immediately possible, revoke the "Can view * Property Mapping" or "Can view Expression Policy" permissions from all users or limit delegation to trusted accounts.
  • Conduct a review and audit of delegated permissions to ensure only necessary users retain these view rights, thereby reducing the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Thu, 12 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Title authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-17T15:43:53.801Z

Reserved: 2026-01-30T14:44:47.327Z

Link: CVE-2026-25227

cve-icon Vulnrichment

Updated: 2026-02-17T15:43:46.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T20:16:10.313

Modified: 2026-02-19T15:25:12.283

Link: CVE-2026-25227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses