The vulnerability stems from an XML Signature Wrapping flaw in the SAML Source ACS endpoint of authentik. An attacker holding a legitimate account at an upstream Identity Provider can reuse a correctly signed SAML assertion to impersonate any federated user. The weakness is classified as CWE‑20 (Improper Input Validation) and CWE‑347, indicating multiple input validation issues that allow the attacker to bypass authentication controls and gain unauthorized access to resources that belong to other users.

The flaw affects the open‑source identity provider goauthentik:authentik. Versions released before 2025.12.5, 2026.2.3, and 2026.5.1 contain the vulnerability; these releases are publicly accessible to customers that have not applied the patch.

The CVSS score of 8.5 indicates high severity. The EPSS score of 0.00063 reflects a very low but measurable exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a man‑in‑the‑middle or a legitimate IdP user re‑authenticating through a maliciously crafted SAML response. Because the attacker only needs a valid assertion from the same IdP, the conditions for exploitation are relatively low; there is no requirement for privileged access or code execution beyond the ability to supply a forged assertion.