CVE-2026-47201
published 2026-06-02CVE-2026-47201: authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML…
PriorityP354high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
EPSS
0.16%
5.8th percentile
authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goauthentik | authentik | < 2025.12.5 | 2025.12.5 |
| goauthentik | authentik | < 2026.2.3 | 2026.2.3 |
| goauthentik | authentik | < 2026.5.1 | 2026.5.1 |
| goauthentik | authentik | < 2025.12.6 | 2025.12.6 |
| goauthentik | authentik | >= 2026.2.0 < 2026.2.4 | 2026.2.4 |
| goauthentik | authentik | >= 2026.5.0 < 2026.5.1 | 2026.5.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
goauthentik up to 2025.12.4/2026.2.2/2026.5.0 Source ACS Endpoint assertion (GHSA-c3m2-jqmq-pvp3)
vuldb·2026-06-03·CVSS 8.5
CVE-2026-47201 [HIGH] goauthentik up to 2025.12.4/2026.2.2/2026.5.0 Source ACS Endpoint assertion (GHSA-c3m2-jqmq-pvp3)
A vulnerability classified as problematic has been found in goauthentik authentik up to 2025.12.4/2026.2.2/2026.5.0. This issue affects some unknown processing of the component Source ACS Endpoint. Performing a manipulation results in reachable assertion.
This vulnerability is identified as CVE-2026-47201. The attack can be initiated remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
ghsa·2026-05-29
CVE-2026-47201 [HIGH] CWE-287 authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
### Summary
authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user.
### Patches
authentik 2026.5.1, 2026.2.4 and 2025.12.6 fix this issue.
### Impact
Affected: authentik deployments using a SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions. Not affected: deployments that do not use SAML Source for upstream SAML federation.
The SAML Source trusts that the verified XML signature belongs to the assertion or response that authentik later c
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-02
Published