Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Published: 2026-06-02
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Simple Flow Executor's AutosubmitStage within authentik, an open‑source identity provider. An attacker can inject a malicious script that is reflected back into the page each time the AutosubmitStage processes user input. When a victim loads the crafted page, the script runs in the victim’s browser, allowing the attacker to steal session cookies or perform actions on the victim’s behalf, effectively taking over the Identity Provider account. This is a classic reflected XSS flaw as defined by CWE‑79.

Affected Systems

The affected product is Authentik released by goauthentik. Versions of authentik prior to 2025.12.5 and prior to 2026.2.3 contain the flaw. All installations running an older release are vulnerable until they are upgraded to the patched versions.

Risk and Exploitability

The flaw has a CVSS base score of 9.3, indicating an exploit would provide full control over the victim's authenticated session. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that known exploit activity has not been observed yet. The attack vector is remote, relying on a maliciously crafted URL or embedded link that includes the AutosubmitStage input; an unsuspecting user who follows the link will trigger the reflected XSS. Because the vulnerability is client‑side, it can be exploited with minimal technical effort from the attacker side, but requires that the victim visits the vulnerable page.

Generated by OpenCVE AI on June 3, 2026 at 04:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update authentik to version 2025.12.5, 2026.2.3, or later, which includes the patch for the AutosubmitStage XSS vulnerability.
  • If an upgrade cannot be performed immediately, block or disable the AutosubmitStage path in the SFE configuration to prevent exploitation until a patch is available.
  • As a temporary measure, apply a web application firewall rule or input sanitization to block XSS payloads submitted to the AutosubmitStage endpoint until the patch is applied.

Generated by OpenCVE AI on June 3, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Title authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T20:30:43.839Z

Reserved: 2026-04-30T16:44:48.378Z

Link: CVE-2026-42849

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T21:16:27.670

Modified: 2026-06-02T21:16:27.670

Link: CVE-2026-42849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T05:45:26Z

Weaknesses