Open-source Identity Provider Privilege Escalation Vulnerability in Authentik
CVE-2026-40172

8.1HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
22 May 2026

What is CVE-2026-40172?

Authentik, an open-source identity provider, has a vulnerability in its API that allows users with specific permissions to escalate their privileges unlawfully. In affected versions, users who can change user permissions can also assign themselves and others to groups that possess administrative capabilities without proper validation checks. This flaw bypasses the stricter controls of the group management system, exposing the application to potential abuses of privilege, particularly in user management operations. The issue has been addressed in later releases.

Affected Version(s)

authentik < 2025.12.5 < 2025.12.5

authentik >= 2026.2.0-rc1, < 2026.2.3 < 2026.2.0-rc1, 2026.2.3

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.