authentik Identity Platform: 4 Flaws Let Attackers Skip Login, CVE-2026-49448 — Update Now
Four serious vulnerabilities have been found in authentik, the identity platform widely used for single sign-on. The worst lets an unauthenticated attacker skip an authentication step by sending empty data and log in as someone else (CVE-2026-49448, CVSS 9.8). Here are the affected versions, the patched releases to update to now, and how to check.
Makoto Horikawa
Backend Engineer / AWS / Django
Four serious vulnerabilities have been found in authentik, the identity platform widely used for single sign-on. The worst lets an unauthenticated attacker skip an authentication step by sending empty data and log in as someone else (CVE-2026-49448, CVSS 9.8). Here are the affected versions, the patched releases to update to now, and how to check.
Four vulnerabilities have been disclosed in authentik, the self-hosted system many companies use to centralize logins across their internal apps. The most serious lets an attacker who is not logged in skip an entire authentication step simply by sending an "empty" piece of data (CVE-2026-49448, severity CVSS 9.8). authentik is a single sign-on platform that lets one ID unlock many services, and as a product you run on your own servers it has earned over ten thousand stars on GitHub.
An identity platform like authentik holds the "front door" to the email, chat, expense, and source-code tools a company runs internally. Break that door and the damage can cascade to every connected service. The four issues differ in severity and in the conditions needed to exploit them, so they are not all "instantly exploitable by anyone." This article walks through which flaw is dangerous under which conditions, whether your environment is affected, and which version to update to.
The four vulnerabilities at a glance
Here are the four side by side. The key columns are "is a login required" and "is a specific feature in use." Even a high number (CVSS) covers a narrower real-world blast radius when exploitation requires particular settings or privileges.
| ID | What happens | Login | CVSS | Precondition |
|---|---|---|---|---|
| CVE-2026-49448 | Skip an auth step, bypass external login | Not needed | 9.8 | Flow uses a source stage |
| CVE-2026-42849 | Inject a script into the login page | Not needed (lure required) | 9.3 | Legacy-browser simple flow in use |
| CVE-2026-49443 | Log in as someone else | Needed (low priv) | 8.8 | Rights to change a connection + account |
| CVE-2026-47201 | Impersonate via federated login | Needed (upstream account) | 8.5 | SAML federation in use |
The two to watch most are the ones that need no login. CVE-2026-49448 (CVSS 9.8) assumes a setup that includes an external-login step, but when those conditions line up the authentication itself can be skipped. CVE-2026-42849 (CVSS 9.3) needs the extra step of luring a user to a crafted page. The other two require a login or a degree of privilege. Either way, the fix boils down to one action: update to a patched release.
When the gate opens for an empty envelope, and who walks in as your staff
authentik holds the "ring of keys" to nearly every app a company uses, all in one place. That is exactly why the meaning of CVE-2026-49448, where that ring can be walked past with a single empty piece of data, lands faster when you look at it from the side of the people who want it, rather than from the CVSS number. What is being defended is not one server, but every downstream system it unlocks.
The people who reach for this hole are cyber-theft crews that slip into other companies' networks to siphon customer lists and sales figures, initial-access brokers who acquire nothing but an entry point and resell it to other groups, and people posing as departed employees or vendors trying to get back into a former employer's systems. What they want is employees' email bodies, payroll and performance-review files, customers' personal data, the back catalog of internal chat, and the password to the cloud admin console. Once they are let through a hole that skips authentication, an attacker can stand inside as a legitimate employee and seize the rights to reach all of it head-on.
The danger of breaking an identity platform is that the damage does not stop at one app. Single sign-on means "one login gets you into every connected service," so breach the entry point once and email, chat, expenses, and source-code management all get flooded under legitimate-looking logins. An attacker first quietly scouts the admin settings and user list, builds an unremarkable low-privilege foothold, and then widens sideways into impersonation or privilege escalation, as with CVE-2026-49443. A single point at the door becomes a corridor into the whole company.
A CVSS of 9.8 reflects only the technical ceiling of severity. For the IT staff who stood up authentik and entrusted it with their organization's logins, what is truly lost is the very fact of "not knowing who, when, impersonating which employee, walked off with what." Even combing the logs afterward, an intrusion that looks like a normal login is hard to tell apart, leaving teams chasing the scope of impact, notifying every user, and resetting passwords en masse. That is why how quickly you check whether your environment meets the conditions, and whether you can move to a patched release, decides your safety.
What authentik actually is
authentik is an "identity provider" that lets employees log in to many internal apps with one ID and password. It fills the same role as commercial services like Okta, Auth0, and Microsoft's identity service, but as an open-source product you can stand up on your own servers for free, used everywhere from small internal test setups to large production deployments. A defining trait is that the login procedure is designed as a combination of building blocks called a "flow."
Inside that flow you can insert a step that logs users in via an external service (a "source stage"), such as Google, GitHub, or another in-house auth system. The most serious issue, CVE-2026-49448, is precisely a flaw in this source stage. authentik is published under the permissive MIT license, so anyone can read the source, which also makes for fertile ground where researchers analyze it and the maintainers publish fixes quickly.
The maintainer, Authentik Security, disclosed all four issues through GitHub Security Advisories and shipped patched releases. This was not uncovered through an external breach; it was announced alongside the fixes. As with the Cloud Foundry case where an auth server leaked a private key, when a hole appears in the authentication "foundation" itself, every service sitting on top of it is exposed.
Looking at the four, one by one
Here is "who, under what conditions, can do what" for each flaw, in order of severity. The formal descriptions are based on the maintainer's official advisories and the U.S. National Vulnerability Database (NVD).
CVE-2026-49448: Skip an auth step by sending empty data (CVSS 9.8)
The official advisory states it plainly: "The Source stage can be bypassed by sending an empty POST." A POST is the basic way a web browser sends data to a server. In authentik, when an empty body is sent to the external-login step (the source stage), it advances to the next step without the validation it should require. According to the maintainer, when a flow contains a source stage, that source exposes an "external login button," and an attacker can reach the stage, they can effectively skip that stage, meaning that external authentication. No login is required (the rating vector is PR:N, no privileges), making this the widest-reaching of the four.
CVE-2026-42849: Inject a malicious script into the login page (CVSS 9.3)
Per the NVD, due to how a simplified login screen built to work on older browsers (the SFE, or Simple Flow Executor) was implemented, a cross-site scripting exploit was possible in its auto-submit step (the AutosubmitStage) (CWE-79, cross-site scripting). Cross-site scripting is an attack that embeds the attacker's script (a small program) into a web page so it runs in the browser of whoever opens it. On a login screen, that can lead to stealing the credentials entered or acting as the user. No privileges are required, but it assumes the extra step of luring a user to a crafted page. This issue was patched slightly ahead of the other three.
CVE-2026-49443: Log in as someone else (CVSS 8.8)
The official advisory states: "An attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account." The cause is that in the part of authentik handling external-service connection data, the fields for "which user or group this maps to," which should not be editable, can be changed through the management interface (the API) (CWE-287, improper authentication). Exploitation assumes a logged-in user with a degree of rights to change connection data, but if it succeeds it leads to impersonating others, including administrators.
CVE-2026-47201: Swap the signature on a federated login to impersonate (CVSS 8.5)
Per the NVD, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses, so an attacker with any account at the upstream identity system can reuse a validly signed authentication response to impersonate another user (CVE-2026-47201). SAML is a shared mechanism for passing an authentication result, "this person is who they say," between separate systems. There is a gap in verifying the digital signature used in that hand-off, allowing the genuine signature to be kept while only the identity inside is swapped. SAML-federated environments are affected; as a stopgap, the maintainer suggests disabling the affected SAML sources or blocking access to their endpoints.
Has exploitation been confirmed?
Here is what is known versus what is not yet confirmed.
✓ Confirmed facts
- ✓The maintainer, Authentik Security, disclosed all four via official advisories and shipped patched releases
- ✓The two that need no login are CVE-2026-49448 (9.8) and CVE-2026-42849 (9.3) (NVD)
- ✓The other two (CVE-2026-49443, CVE-2026-47201) require a login, some privilege, or federation in use
? Not yet confirmed
- ?Real-world exploitation — as of this writing, none are listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code has been confirmed
- ?Details on the finder/reporter — information remains limited to the official advisories, with little third-party technical verification so far
Your version and the patched-release cheat sheet
The basic fix is to update to the patched release for your authentik branch. The three issues including the serious CVE-2026-49448 are all fixed in the same release, and the fix for CVE-2026-42849, which shipped a bit earlier, is naturally included if you move to the latest. When in doubt, move to the newest release of your branch.
| Branch in use | Affected versions | Update to (patched) |
|---|---|---|
| 2025.12 line | 2025.12.5 and earlier | 2025.12.6 |
| 2026.2 line | 2026.2.3 and earlier | 2026.2.4 |
| 2026.5 line | 2026.5.0 | 2026.5.1 |
| XSS (42849) only | < 2025.12.5 < 2026.2.3 | Fixed in 2025.12.5 and 2026.2.3 |
Always confirm the exact affected range and the latest patched release on the authentik releases page and the individual advisories. If you cannot update immediately, the maintainer offers a stopgap for the SAML flaw (CVE-2026-47201): disable the affected SAML sources, or block access to their endpoints. To track significant vulnerabilities systematically, see our roundup of major vulnerabilities in the first half of 2026.
What admins should check right now
The top priority is to confirm the version of authentik you run and update to the patched release in the table above. Environments that build in logins via external services such as Google, GitHub, or another in-house system are especially exposed to the most serious CVE-2026-49448, so check first whether your login flow includes a source stage. Environments using SAML federation may be affected by CVE-2026-47201.
After updating, it is also worth reviewing suspicious login history. Authentication-bypass and impersonation flaws look like legitimate logins even when exploited, so any damage is hard to spot. For environments with cause for concern, ending user sessions to force re-login and rotating the passwords of critical accounts are also options. Flaws aimed at the authentication foundation keep coming: the config injection in the OpenShift container platform (CVE-2026-1784) and the data exposure in enterprise CMS Sitefinity are recent examples, and keeping the "front door" of your systems current matters more than ever.
Frequently asked questions
Q. Is CVE-2026-49448 (CVSS 9.8) dangerous on every authentik?
A. No. Exploitation assumes that the login flow includes an external-login step (a source stage), that the source exposes an external-login button, and that an attacker can reach that step. That said, external login is a widely used feature, so affected environments should update to a patched release promptly.
Q. Which ones are truly dangerous without a login?
A. The two exploitable without a login are CVE-2026-49448 and CVE-2026-42849. However, 49448 assumes an external-login step is in use, and 42849 requires the extra step of luring a user to a crafted page. Affected environments should update to the latest patched release.
Q. Which version should I update to?
A. By branch, the patched releases are 2025.12.6, 2026.2.4, and 2026.5.1 or later. The XSS issue (CVE-2026-42849) was fixed earlier in 2025.12.5 and 2026.2.3, but moving to the latest resolves all four. Confirm the exact details on authentik's official releases and advisories.
Q. If I don't use authentik, am I unaffected?
A. Yes, these four are specific to authentik. That said, identity platforms in general, including Okta and Auth0, hold the front door to all of a company's apps, so a hole here has wide-reaching impact. If you run your own identity platform, regardless of product, make version tracking and updates a habit.
Summary
Four vulnerabilities have been disclosed in authentik, the identity platform used for single sign-on across internal apps. The two to watch most are the login-free CVE-2026-49448 (CVSS 9.8, skipping an auth step by sending empty data) and CVE-2026-42849 (CVSS 9.3, injecting a malicious script into the login page). The numbers are severe, but many require preconditions such as an external-login step or luring a user, so they are not all "instantly exploitable by anyone." The fix is simple: update to the patched release for your branch (2025.12.6, 2026.2.4, or 2026.5.1 or later). Environments using external-service logins or SAML federation are especially high priority, and after updating you should plan through to reviewing suspicious login history. A hole in the authentication foundation echoes across every service sitting on top of it.
References
- ▸authentik - GitHub Security Advisories (official advisory list)
- ▸NVD - CVE-2026-49448 (skip an auth step via empty data, CVSS 9.8)
- ▸NVD - CVE-2026-42849 (script injection into the login page, CVSS 9.3)
- ▸NVD - CVE-2026-49443 (log in as someone else, CVSS 8.8)
- ▸NVD - CVE-2026-47201 (federated-login signature swap, CVSS 8.5)
- ▸authentik official site
- ▸authentik official releases page