The defect resides in authentik’s WS‑Federation provider, which uses a simple string prefix check to validate the wreply parameter instead of proper URL parsing. This oversight falls under CWE‑601, Open Redirect. An attacker who can construct a malicious login URL can supply a wreply value that appears to match the prefix check but points to a different origin, such as https://portal.example.com.evil.tld/. When a victim follows the link, authentik posts the signed WS‑Federation login response to the attacker‑controlled domain, thereby leaking authentication data. The consequence is that an attacker can exfiltrate signed login responses and potentially obtain user credentials or session tokens, compromising confidentiality.

All deployments of goauthentik’s authentik Identity Provider running a version older than 2026.2.3 are affected. The vulnerability was introduced prior to that release and was patched in 2026.2.3, so any earlier version is at risk. The attack is specific to the WS‑Federation provider functionality.

The CVSS score of 6.9 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to craft and distribute a login link that contains the tampered wreply parameter. Once the victim clicks that link, the browser automatically submits the signed response to the attacker’s endpoint; no further user interaction is needed beyond clicking the link. Thus the attack vector is purely web-based, leveraging social engineering or distribution of malicious links.