authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NGoauthentik Authentik
APPGoauthentik< 2025.12.52026.2.0 – 2026.2.3 (bez)
Related vulnerabilities
Pominięcie etapu uwierzytelniania (Source Stage) w Goauthentik Authentik
RCE w authentik przez endpoint testowy mapowania właściwości
Pominięcie uwierzytelnienia przez nagłówek X-Forwarded-For w authentik
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admi...
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that ...