authentik SAML bypasses assertion checks

Vendor-confirmed - CVE-2026-25922 is a high authentication bypass in authentik SAML Sources starting from the earliest affected release up to 2025.12.3 that lets attackers impersonate any user without valid credentials. Immediate upgrade to patched versions 2025.8.6, 2025.12.4, or 2025.10.4 is required to block exploitation.

Overview

A critical security vulnerability has been identified in the authentik open-source identity provider. This flaw could allow an attacker to bypass authentication controls and impersonate legitimate users.

Vulnerability Explained

authentik uses the SAML protocol for single sign-on. In affected versions, a specific misconfiguration in SAML Sources creates a security weakness. If an administrator has enabled “Verify Assertion Signature” but not “Verify Response Signature,” or has left the “Encryption Certificate” setting blank, the system becomes vulnerable.

In simple terms, authentik could be tricked into processing the wrong part of a SAML login message. An attacker could insert a malicious, unsigned user identity claim before the legitimate, signed one. Due to the flaw, authentik would incorrectly use the attacker’s claim, granting them unauthorized access.

Potential Impact

The impact of this vulnerability is severe (CVSS: 8.8 - HIGH). A successful exploit would allow an attacker to:

• Impersonate any user within the identity provider, including administrators.
• Gain unauthorized access to all applications and systems that rely on the vulnerable authentik instance for authentication.
• Potentially steal sensitive data, perform actions as another user, or move laterally through a network.

Any authentik deployment using SAML Sources with the described configuration is at risk.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation: The issue is fixed in the following authentik versions:

• Version 2025.8.6
• Version 2025.12.4
• Version 2025.10.4

Action Steps:

1. Upgrade Immediately: Update your authentik installation to one of the patched versions listed above. This is the only complete solution.
2. Review SAML Source Configuration: If an immediate upgrade is not possible, audit all SAML Sources. Ensure that both “Verify Assertion Signature” and “Verify Response Signature” are enabled. Additionally, confirm that an “Encryption Certificate” is properly configured in the Advanced Protocol settings. This configuration change will mitigate the vulnerability until an upgrade can be performed.
3. Monitor for Suspicious Activity: Review authentication logs for any unusual login patterns or successes from unexpected locations, as exploitation may leave traces.

You should plan and execute the upgrade to a patched version as your highest priority to fully resolve this security risk.