authentik lets users escalate privileges

Patch now - CVE-2026-25227 is a critical RCE in authentik 2021.3.1 through 2025.12.3 that grants authenticated users with view permissions the ability to execute arbitrary code on the server. Upgrade immediately to versions 2025.8.6, 2025.10.4, or 2025.12.4 to prevent full system compromise.

Overview

A critical security vulnerability has been identified in authentik, a widely used open-source Identity Provider. This flaw allows authenticated users with specific, relatively low-level permissions to execute arbitrary code on the authentik server itself. This compromises the core security of the identity management system.

Vulnerability Explained

In affected versions, authentik includes a “test” or “preview” feature for administrators to see how certain security rules (Property Mappings and Expression Policies) will work. This feature was not properly secured. If a user account has been granted one of two specific viewing permissions (“Can view * Property Mapping” or “Can view Expression Policy”), they can abuse this test endpoint. Instead of just previewing a rule, they can inject and run their own malicious code, which the authentik server will then execute.

Impact on Your Systems

The impact of this vulnerability is severe (CRITICAL, CVSS 9.1). A successful exploit would allow an attacker with a low-privileged account to:

• Take Full Control: Execute any command within the authentik server container, potentially leading to a complete system compromise.
• Steal Sensitive Data: Access all user credentials, tokens, and personal information managed by the identity provider.
• Disrupt Services: Modify, delete, or disrupt authentik’s operations, causing widespread authentication failures for all connected applications.
• Move Laterally: Use the compromised container as a foothold to attack other parts of your network.

Remediation and Mitigation

Immediate action is required to secure your authentik deployment.

1. Primary Remediation (Recommended): Upgrade your authentik installation immediately to a patched version. The fix is included in:

• Version 2025.8.6 (for the 2025.8 stream)
• Version 2025.10.4 (for the 2025.10 stream)
• Version 2025.12.4 (for the 2025.12 stream)

If you are running any version from 2021.3.1 up to the versions listed above, you are vulnerable and must upgrade.

2. Temporary Mitigation: If an immediate upgrade is not possible, you must immediately review and restrict user permissions. Audit all user accounts and ensure that no user is assigned the “Can view * Property Mapping” or “Can view Expression Policy” permissions unless it is absolutely necessary. Remove these permissions from any user who does not have an explicit, essential administrative need for them. This significantly reduces the attack surface.

Next Steps: After applying the patch, it is considered a best practice to rotate any secrets and credentials managed by authentik, and to review server logs for any signs of suspicious activity prior to the update.