Arbitrary Code Execution Vulnerability in Authentik Identity Provider by GoAuthentik
CVE-2026-25227

9.1CRITICAL

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
12 February 2026

What is CVE-2026-25227?

A significant vulnerability exists in the Authentik identity provider that allows users with specific delegated permissions ('Can view Property Mapping' or 'Can view Expression Policy') to execute arbitrary code on the authentik server container. This exploitation occurs through the test endpoint designed for previewing property mappings or policies. The affected versions range from 2021.3.1 and extend to versions prior to 2025.8.6, 2025.10.4, and 2025.12.4, all of which address this critical issue.

Affected Version(s)

authentik >= 2021.3.1, < 2025.8.6 < 2021.3.1, 2025.8.6

authentik >= 2025.10.0-rc1, < 2025.10.4 < 2025.10.0-rc1, 2025.10.4

authentik >= 2025.10.0-rc1, < 2025.12.4 < 2025.10.0-rc1, 2025.12.4

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/commit/c691afaef...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.