CVE-2026-47201 - Vulnerability Details

- authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

Description

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.

Published: 2026-06-02

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from an XML Signature Wrapping flaw in the SAML Source ACS endpoint of authentik. An attacker holding a legitimate account at an upstream Identity Provider can reuse a correctly signed SAML assertion to impersonate any federated user. The weakness is classified as CWE‑20 (Improper Input Validation), allowing the attacker to bypass authentication controls and gain unauthorized access to resources that belong to other users.

Affected Systems

The flaw affects the open‑source identity provider goauthentik:authentik. Versions released before 2025.12.5, 2026.2.3, and 2026.5.1 contain the vulnerability; these releases are publicly accessible to customers that have not applied the patch.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS is currently unavailable, providing no quantifiable exploitation probability data, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a man‑in‑the‑middle or a legitimate IdP user re‑authenticating through a maliciously crafted SAML response. Because the attacker only needs a valid assertion from the same IdP, the conditions for exploitation are relatively low; there is no requirement for privileged access or code execution beyond the ability to supply a forged assertion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

goauthentik

authentik

affected

Version	Status	Constraints
`< 2025.12.5`	affected	—
`< 2026.2.3`	affected	—
`< 2026.5.1`	affected	—

No data.

Vendor Product Confidence Versions

Goauthentik

Authentik

100%

Version	Status	Scheme	Platform
`[0,2025.12.5)`	affected	semver	—
`[0,2026.2.3)`	affected	semver	—
`[0,2026.5.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade authentik to at least version 2025.12.5, 2026.2.3, or 2026.5.1 where the XML Signature Wrapping issue is fixed.
If a patch cannot be applied immediately, restrict or disable the SAML Source ACS endpoint for the affected upstream IdP until the fix can be installed.
Continuously review authentication logs for anomalous logins that may indicate attempts to misuse federated identities.

Generated by OpenCVE AI on June 3, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c3m2-jqmq-pvp3	authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3

History

Wed, 03 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Goauthentik Goauthentik authentik
Vendors & Products		Goauthentik Goauthentik authentik

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.
Title		authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
Weaknesses		CWE-20
References		https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Goauthentik Authentik

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-02T20:30:55.674Z

Updated: 2026-06-03T14:08:11.139Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47201

Vulnrichment

Updated: 2026-06-03T13:58:11.896Z

NVD

Status : Received

Published: 2026-06-02T21:16:27.940

Modified: 2026-06-02T21:16:27.940

Link: CVE-2026-47201

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object