CVE 9.8 CRITICAL

authentik: SourceStage bypass via empty POST_CVE-2026-49448

June 2, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

AI Analysis

Source stage bypass via empty POST in authentik

Basic Information

ID CVE-2026-49448

Source GitHub_M

Published Jun 2, 2026 at 20:31

Affected Product

Vendor goauthentik

Product authentik

Version < 2025.12.6

Affected Versions goauthentik authentik < 2025.12.6
goauthentik authentik < 2026.2.4
goauthentik authentik < 2026.5.1

CWE Classification

CWE-287

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor goauthentik

Product authentik

Version < 2025.12.6, < 2026.2.4, < 2026.5.1

References

github.com /goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8

{
    "lastseen": "",
    "description": "authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.",
    "published": "2026-06-02T20:31:20.323Z",
    "modified": "2026-06-02T20:31:20.323Z",
    "type": "cve",
    "title": "authentik: SourceStage bypass via empty POST",
    "source": "GitHub_M",
    "references": "https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8",
    "id": "CVE-2026-49448",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "goauthentik authentik < 2025.12.6\ngoauthentik authentik < 2026.2.4\ngoauthentik authentik < 2026.5.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "authentik",
    "version": "< 2025.12.6",
    "vendor": "goauthentik",
    "ai_description": "Source stage bypass via empty POST in authentik",
    "ai_severity": "Critical",
    "ai_vendor": "goauthentik",
    "ai_product": "authentik",
    "ai_version": "< 2025.12.6, < 2026.2.4, < 2026.5.1",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply