Description
authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

authentik, an open‑source identity provider, allowed an attacker to bypass authentication by injecting an XML comment into the SAML NameID field. The comment caused authentik to truncate the value used for user identification, enabling the attacker to obtain tokens for arbitrary user accounts. The vulnerability is a classic authentication bypass (CWE‑287) that can compromise the confidentiality of all user identities and the integrity of the authentication process.

Affected Systems

The flaw existed in authentik versions 2025.12.4 and earlier, as well as the release candidates 2026.2.0 through 2026.2.2. It can affect any instance configured with a SAML source where the attacker has an account on that source and can alter the NameID value, such as a configured username or email address.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity. While a public EPSS score is not available, the existence of a CVE advisory and the lack of a KEV listing suggest that malicious exploitation is plausible but not yet proven at scale. The attack requires the attacker to control the SAML assertion through their own SAML source account and to ensure XML signing is enabled, which is a typical configuration for SAML deployments. If these conditions are met, the vulnerability can be leveraged to gain unauthorized access to any user account on the affected authentik instance.

Generated by OpenCVE AI on May 21, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy authentik version 2025.12.5 or 2026.2.3, which contain the necessary patch for the NameID comment injection flaw. This is the only known definitive fix.
  • Confirm that XML signing remains enabled on the SAML source, as the vulnerability requires signed assertions; disabling signing introduces other risks and does not mitigate the bug.
  • Apply strict validation to the NameID field on the authentik side, ensuring it contains only allowed characters and length limits, to guard against future injection attempts—an approach recommended for weaknesses classified as CWE‑287 and CWE‑91.

Generated by OpenCVE AI on May 21, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Wed, 20 May 2026 23:45:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Title authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
Weaknesses CWE-287
CWE-436
CWE-91
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-21T14:13:20.329Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40165

cve-icon Vulnrichment

Updated: 2026-05-21T14:13:16.426Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T00:16:28.290

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-40165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T01:15:25Z

Weaknesses