CVE-2026-41577— authentik: SAML source does not validate Conditions, timing, or audience on assertions
Possible ATT&CK Techniques 1AI
T1199 · Trusted RelationshipAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| goauthentik | authentik | < 2025.12.5 | affected |
< 2026.2.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41577
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
authentik: SAML source does not validate Conditions, timing, or audience on assertions
Source: NVD (National Vulnerability Database)
Vulnerability Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| goauthentik | authentik | < 2025.12.5 | - |
II. Public POCs for CVE-2026-41577
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41577
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41577 (1)
Same Patch Batch · goauthentik · 2026-06-02 · 6 CVEs total
| CVE-2026-49448 | 9.8 CRITICAL | authentik: SourceStage bypass via empty POST |
| CVE-2026-42849 | 9.3 CRITICAL | authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover |
| CVE-2026-49443 | 8.8 HIGH | authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable th |
| CVE-2026-47201 | 8.5 HIGH | authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary fe |
| CVE-2026-41569 | authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to att |
IV. Related Vulnerabilities
Same product: authentik
- CVE-2026-49448
authentik: SourceStage bypass via empty POST - CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConne - CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-42849
authentik: Reflected XSS in SFE AutosubmitStage allows IDP a - CVE-2026-41569
authentik: WS-Federation wreply origin bypass can exfiltrate
Same vendor: goauthentik
- CVE-2026-49448
authentik: SourceStage bypass via empty POST - CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConne - CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-42849
authentik: Reflected XSS in SFE AutosubmitStage allows IDP a - CVE-2026-41569
authentik: WS-Federation wreply origin bypass can exfiltrate
Same weakness: CWE-345
- CVE-2022-4992
Dräger Infinity M540 VG4.1.1 Spoofed Network Message Handlin - CVE-2026-47696
WWBN AVideo: Authenticated wallet credit bypass in Authorize - CVE-2026-9189
Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthent - CVE-2026-3012
Samba: group policy certificate enrollment uses http:// with - CVE-2026-41164
nuts-node: JWT type confusion in v1 access token introspecti
V. Comments for CVE-2026-41577
No comments yet