cbcvebase.
CVE-2026-49443
published 2026-06-02

CVE-2026-49443: authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection…

PriorityP358high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.5th percentile
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
goauthentikauthentik< 2026.2.42026.2.4
goauthentikauthentik< 2026.5.12026.5.1
goauthentikauthentik< 2025.12.62025.12.6
goauthentikauthentik>= 2026.2.0 < 2026.2.42026.2.4
goauthentikauthentik>= 2026.5.0 < 2026.5.12026.5.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.