Description
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
Published: 2026-05-22
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the user update API, allowing a caller who has change_user rights on a target account to assign any group through UserSerializer. Because the is_superuser flag on a group is ignored unless enable_group_superuser is set, an attacker can grant a target user a superuser group without the stricter permission checks. The result is that the target account attains administrator-equivalent privileges, violating confidentiality and integrity controls. The flaw maps to CWE‑269: Improper Privilege Management.

Affected Systems

Open‑source identity provider authentik, maintained by goauthentik. Versions earlier than 2025.12.5, and 2026.2.0‑rc1 up to 2026.2.2, are affected. The issue was addressed in release 2025.12.5 and in 2026.2.3.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is not available, so current public exploitation data is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack is likely remote, occurring via the REST API; any user with change_user privileges or permission to manage groups can exploit the flaw, making it valuable in internal threat scenarios.

Generated by OpenCVE AI on May 22, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest authentik release that contains the fix (2025.12.5 or 2026.2.3).
  • Limit the change_user permission to only trusted administrators, and review any roles granted that include it.
  • If upgrading cannot occur immediately, audit the /api/v3/core/users endpoint for group assignments that set is_superuser and block or alert on such changes.

Generated by OpenCVE AI on May 22, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
Title authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T19:15:18.353Z

Reserved: 2026-04-09T19:31:56.015Z

Link: CVE-2026-40172

cve-icon Vulnrichment

Updated: 2026-05-22T19:15:03.121Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:30:06Z

Weaknesses