Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
Published: 2026-06-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in authentik, an open‑source identity provider, allows the Source stage to be bypassed by submitting a POST request with an empty payload. This bypass removes the normal authentication requirement, enabling an attacker to obtain access to the system without credentials. The vulnerability is a classic example of Broken Authentication (CWE‑287) and can potentially compromise all data protected by the identity provider because it grants unauthorized control of user sessions.

Affected Systems

The issue affects the goauthentik:authentik product in all releases prior to 2025.12.6, 2026.2.4, and 2026.5.1. Those specific versions include the vulnerable Source stage code and have since been patched in the mentioned releases.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is classified as critical. The EPSS score is not available but the vulnerability involves a remote “empty POST” attack that can be performed over the network, suggesting a high likelihood of exploitation. It is not listed in CISA’s KEV catalog. An attacker can exploit the weakness by sending an empty POST to the Source stage endpoint, bypassing authentication and gaining unauthorized access to the identity provider. No additional prerequisites are disclosed in the advisory, implying the vector is straightforward for anyone with network reach to the authentication service.

Generated by OpenCVE AI on June 3, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade authentik to version 2025.12.6, 2026.2.4, or 2026.5.1 or later where the Source stage bypass is fixed.
  • Configure the authentication service to reject requests with missing or empty payloads, ensuring that only properly formed POST data is accepted.
  • Enable logging and alerts for failed or empty authentication attempts to detect and respond to potential bypass attempts.

Generated by OpenCVE AI on June 3, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
Title authentik: SourceStage bypass via empty POST
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T12:46:25.064Z

Reserved: 2026-05-30T02:43:33.106Z

Link: CVE-2026-49448

cve-icon Vulnrichment

Updated: 2026-06-03T12:46:12.447Z

cve-icon NVD

Status : Received

Published: 2026-06-02T21:16:28.490

Modified: 2026-06-03T14:16:45.730

Link: CVE-2026-49448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses