SAML Vulnerability in Authentik Identity Provider
CVE-2026-41577

6.9MEDIUM

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 2 June 2026

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2026-41577?

The Authentik Identity Provider, an open-source solution for identity management, has a vulnerability in the SAML source response processing. The ResponseProcessor.parse() method fails to validate the Conditions element in SAML assertions, which neglects critical elements such as NotBefore, NotOnOrAfter, and AudienceRestriction. This oversight permits the replay of expired assertions and allows assertions intended for different service providers to be incorrectly accepted. Users are encouraged to upgrade to versions 2025.12.5 or 2026.2.3 where this issue has been addressed.

Affected Version(s)

authentik < 2025.12.5 < 2025.12.5

authentik < 2026.2.3 < 2026.2.3

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41577 Data

JSON