CVE-2026-25227
Published: 12 February 2026
Summary
CVE-2026-25227 is a critical-severity Code Injection (CWE-94) vulnerability in Goauthentik Authentik. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the test endpoint for property mappings and expression policies to prevent arbitrary code injection (CWE-94).
Enforces least privilege by limiting 'Can view Property Mapping' or 'Can view Expression Policy' permissions to only necessary users, blocking access to the exploitable test endpoint.
Requires timely remediation of the identified flaw by patching to fixed authentik versions (2025.8.6, 2025.10.4, 2025.12.4).
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote code injection (CWE-94) in public-facing authentik identity provider enables T1190 via the test endpoint; limited view permissions escalate to full container RCE via T1068; arbitrary code execution directly facilitates T1059.
NVD Description
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code…
more
within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Deeper analysisAI
CVE-2026-25227 is a code injection vulnerability (CWE-94) affecting the open-source identity provider authentik, specifically versions from 2021.3.1 up to but not including 2025.8.6, 2025.10.4, and 2025.12.4. The issue arises when using delegated permissions, where the test endpoint—intended for previewing property mappings or expression policies—allows arbitrary code execution within the authentik server container. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts with changed scope.
An authenticated user with either the "Can view * Property Mapping" or "Can view Expression Policy" permission can exploit this vulnerability remotely over the network with low complexity. By interacting with the test endpoint, the attacker executes arbitrary code directly in the authentik server container, potentially leading to full server compromise, data exfiltration, or further lateral movement within the environment.
The authentik security advisory (GHSA-qvxx-mfm6-626f) and release notes recommend upgrading to fixed versions 2025.8.6, 2025.10.4, or 2025.12.4, where the issue is addressed via a commit at https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80. No workarounds are specified beyond applying the patches.
Details
- CWE(s)