CVE-2026-47201
HIGH8.5authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
Description
### Summary authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. ### Patches authentik 2026.5.1, 2026.2.4 and 2025.12.6 fix this issue. ### Impact Affected: authentik deployments using a SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions. Not affected: deployments that do not use SAML Source for upstream SAML federation. The SAML Source trusts that the verified XML signature belongs to the assertion or response that authentik later consumes. A crafted SAML response can make signature verification succeed against the attacker's original signed assertion while authentik reads identity data from a different forged assertion. An attacker first completes a legitimate login to the upstream IdP and captures the signed SAML response sent through their browser. They then submit a modified response to the ACS endpoint where the valid signature still verifies, but the consumed assertion contains a victim identifier or attacker-chosen attributes. The attacker can authenticate as a victim who has previously used the SAML Source, or as a local user matched by forged email or username when those matching modes are enabled. ### Workarounds Disable affected SAML Sources, or block access to their ACS endpoints. ### For more information If there are any questions or comments about this advisory: - Send an email to [[email protected]](mailto:[email protected])
Affected packages (1)
- Go/goauthentik.iofrom 0, < 0.0.0-20260528144335-a370d76d23c7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |