Bypass Vulnerability in Authentik Identity Provider by GoAuthentik
CVE-2026-49448

9.8CRITICAL

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 2 June 2026

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2026-49448?

Authentik, an open-source identity provider by GoAuthentik, contains a vulnerability that allows an attacker to bypass the Source stage by sending an empty POST request. This flaw has been addressed in recent updates, specifically versions 2025.12.6, 2026.2.4, and 2026.5.1, which strengthen the application's integrity and prevent unauthorized access. Users are strongly advised to upgrade to the patched versions to mitigate potential risks.

Affected Version(s)

authentik < 2025.12.6 < 2025.12.6

authentik < 2026.2.4 < 2026.2.4

authentik < 2026.5.1 < 2026.5.1

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 30, 2026

CVE-2026-49448 Data

JSON