Open-Source Identity Provider Vulnerability in Authentik by GoAuthentik
CVE-2026-41569

6.9MEDIUM

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 2 June 2026

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2026-41569?

Authentik, an open-source identity provider, has a vulnerability related to its WS-Federation provider that improperly validates the user-supplied wreply parameter. Instead of employing a comprehensive URL parsing method, it uses a simplistic raw string prefix check. This design flaw allows an attacker to craft a malicious login link that provides a wreply value sourced from a different origin, potentially redirecting the response to an attacker-controlled endpoint. This security issue has been addressed in version 2026.2.3, urging users to update to protect against exploitation.

Affected Version(s)

authentik < 2026.2.3

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41569 Data

JSON