CVE-2026-49448: authentik Source Stage Authentication Bypass
A critical authentication bypass vulnerability tracked as CVE-2026-49448 has been disclosed in authentik, the popular open-source identity provider. With a CVSS v3.1 score of 9.8 (Critical) — the second of two critical CVEs published for authentik on June 2, 2026 — this flaw allows an unauthenticated attacker to completely bypass the Source stage of an authentication flow by sending a simple empty HTTP POST request. No credentials, tokens, or prior session state are required.
Patches are available in 2025.12.6, 2026.2.4, and 2026.5.1.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-49448 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-287 — Improper Authentication |
| Affected Component | Source Stage in authentik authentication flows |
| Attack Vector | Network |
| Authentication Required | None |
| Primary Impact | Complete authentication bypass |
| Patch Available | Yes — versions 2025.12.6, 2026.2.4, 2026.5.1 |
| Source | NVD / NIST |
Technical Details
Root Cause
authentik's flow system processes authentication in discrete stages. The Source stage is responsible for validating that a user's authentication originates from a configured and trusted identity source (e.g., a specific LDAP directory, SAML provider, or OAuth2 backend). This stage acts as a gating check in the authentication pipeline.
The vulnerability arises because the Source stage's request validation logic does not enforce that the POST body contains required parameters. When an empty POST is submitted to the stage endpoint, the validation logic fails to reject the request — instead proceeding to the next stage as if the source check had passed.
This is a classic improper input validation flaw (CWE-287): the absence of data is not treated as an invalid state.
Exploitation Mechanics
Attacker identifies authentik instance with Source stage in flow
→ Sends empty POST to Source stage endpoint
→ Stage logic receives empty body — no required parameters present
→ Validation branch treats empty POST as a non-negative outcome
→ Flow advances past Source stage without source verification
→ Attacker proceeds through remaining authentication stages
→ Achieves access beyond the intended trust boundary
Conceptual exploit (HTTP):
POST /api/v3/flows/executor/default-authentication-flow/ HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
(empty body)The CVSS score of 9.8 reflects the near-maximum severity:
- Attack Vector: Network — remotely exploitable
- Attack Complexity: Low — no special setup required
- Authentication: None — no credentials needed to exploit
- Confidentiality/Integrity/Availability: High across all axes
Impact Assessment
| Impact Area | Description |
|---|---|
| Authentication Bypass | Complete skip of the Source stage — attacker proceeds as an authenticated entity |
| Identity Spoofing | Attacker may be able to assume the identity of any user in the configured source |
| SSO Access | All downstream applications connected via authentik SSO may be accessible |
| Admin Takeover | If an administrator account can be targeted, full IdP control is at risk |
| Downstream App Compromise | OAuth2, OIDC, and SAML relying parties inherit the compromised identity assertion |
| Audit Trail Corruption | Unauthorized access may be logged under a legitimate user's identity |
Affected Versions
| Version Branch | Affected | Fixed In |
|---|---|---|
| 2025.12.x | All versions prior to 2025.12.6 | 2025.12.6 |
| 2026.2.x | All versions prior to 2026.2.4 | 2026.2.4 |
| 2026.5.x | All versions prior to 2026.5.1 | 2026.5.1 |
| Older branches | All older releases | Upgrade required |
Note: This is the second critical CVE affecting authentik published on the same day as CVE-2026-42849 (XSS in AutosubmitStage, CVSS 9.3). Both require immediate patching.
Remediation
Immediate Actions
-
Upgrade authentik immediately to one of the patched releases:
- 2025.12.6 (LTS branch)
- 2026.2.4
- 2026.5.1 (latest stable)
# Docker Compose upgrade docker compose pull && docker compose up -d # Kubernetes (Helm) helm repo update helm upgrade authentik authentik/authentik --version <patched-version> # Verify version docker exec authentik-server ak version -
Audit authentication flow configurations — identify all flows that include a Source stage and verify which are internet-accessible versus internal-only.
-
Inspect access logs for empty POST requests — search authentik logs for requests matching the empty POST pattern to determine if exploitation has already occurred:
# Look for suspiciously empty POST submissions in flow executor grep "POST /api/v3/flows/executor" /var/log/authentik/access.log \ | grep "Content-Length: 0" -
Force session invalidation — revoke all active sessions post-upgrade as a precaution:
authentik Admin UI → System → Sessions → Invalidate All -
Rotate downstream application secrets — OAuth2 client secrets and SAML certificates for all relying parties should be rotated as a precautionary measure.
Defense-in-Depth
For organizations that cannot patch immediately:
Priority 1: Restrict authentik access to internal IPs / VPN only
Priority 2: Deploy WAF rules to block requests with empty POST bodies to flow endpoints
Priority 3: Enable detailed authentik event logging and alert on Source stage completions
Priority 4: Review and reduce the number of flows with Source stages facing the internet
Priority 5: Plan emergency maintenance window for patching within 24 hours
Critical CVE Pair: Impact of Both authentik Vulnerabilities
Organizations running unpatched authentik are now exposed to two simultaneous critical CVEs:
| CVE | Type | CVSS | Fixed In |
|---|---|---|---|
| CVE-2026-42849 | XSS in AutosubmitStage | 9.3 | 2025.12.5, 2026.2.3 |
| CVE-2026-49448 | Source Stage Auth Bypass | 9.8 | 2025.12.6, 2026.2.4, 2026.5.1 |
Patch to the higher fix version to address both CVEs simultaneously:
- Branch 2025.12.x: patch to 2025.12.6 (fixes both)
- Branch 2026.2.x: patch to 2026.2.4 (fixes both)
- Branch 2026.5.x: patch to 2026.5.1 (fixes both)
Key Takeaways
- CVE-2026-49448 is a CVSS 9.8 critical authentication bypass — one of the highest-severity flaws an identity provider can carry
- An empty POST body is all it takes to bypass the Source stage — no credentials or tokens required
- Combined with CVE-2026-42849 (XSS), authentik deployments face a dual critical exposure — patch both simultaneously
- All OAuth2, OIDC, and SAML relying parties connected to the vulnerable instance should be considered potentially compromised
- Restrict internet-facing authentik to VPN or internal networks while patching is arranged