External risk intelligence

Authentik Identity Provider Source Stage Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49448

Organizations using the authentik identity provider face a bypass vulnerability in the Source stage. This could allow unauthorized access to systems and data, creating business risk. The issue is addressed in updated versions.

5Halo Surface Signal

Authentication Bypass

Goauthentik Authentik

before 2025.12.62026.2.0 to before 2026.2.42026.5.0 to before 2026.5.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-49448

authentik is an identity provider designed to handle authentication and identity management. Such systems are typically deployed as public-facing gateways or identity portals to provide remote access to applications and services, making them inherently internet-reachable by design in normal deployments.

PCI scan relevance

PCI Relevance for CVE-2026-49448

Yes

CVE-2026-49448 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in authentik's Source stage has a critical CVSS score, making it relevant for PCI scans. PCI DSS requires vulnerabilities with scores of 4.0 or higher to be addressed, so this could impact scan results.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects organizations using the authentik open-source identity provider. The flaw allows unauthorized access to systems by bypassing security controls. This could lead to significant business risk, including unauthorized access to sensitive data and disruption of services.

  • Vulnerable authentik identity provider
  • Source stage bypass
  • Unauthorized access and data compromise

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to bypass security controls within the application. Successful exploitation could lead to unauthorized access and potential compromise of sensitive information. The attack vector involves manipulating network requests to circumvent authentication mechanisms.

  • Exposed to the network
  • Attacker sends empty POST request
  • Bypasses Source stage, gains access

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass authentication controls by sending a specific type of request. Successful exploitation could lead to unauthorized access to sensitive information or unauthorized system modifications, posing a significant risk to the integrity and confidentiality of organizational data and services. The ease of exploitation suggests a high potential for impact if left unaddressed.

  • Attacker skill level: Low
  • Required access or conditions: None
  • Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts organizations using the Authentik identity provider. An attacker could bypass security controls by sending an empty POST request, potentially leading to unauthorized access to systems and data. The risk to business operations includes data breaches and compromised user accounts.

  • Identify Authentik instances processing authentication requests.
  • Restrict network access to Authentik if possible.
  • Apply vendor updates and verify the fix.
  • Monitor for related unauthorized access.

Frequently asked questions

What is authentik and what is it used for?

Authentik is an open-source identity provider. It is used to manage user authentication and identity for various applications and services, acting as a central point for users to log in.

What is the weakness in CVE-2026-49448?

CVE-2026-49448 is a bypass vulnerability. It specifically involves bypassing the 'Source stage' of authentik by sending an empty POST request, which is a type of access control weakness.

How can an attacker trigger this authentik vulnerability?

An attacker can trigger this vulnerability by sending an empty POST request to the affected authentik component. This specific action bypasses the Source stage, and no special access or conditions are required for the attacker.

How likely is this vulnerability to be encountered by users?

This vulnerability is considered very likely to be encountered. Systems like authentik are typically deployed as public-facing gateways for remote access, meaning they are designed to be reachable from the internet.

What should I do if I am running this technology?

If you are running authentik, you should identify your instances that handle authentication and apply the vendor updates. These updates are available in versions 2025.12.6, 2026.2.4, and 2026.5.1.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified