CVE-2026-25922
Published: 12 February 2026
Summary
CVE-2026-25922 is a high-severity Improper Authentication (CWE-287) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires integrity verification using digital signatures or cryptographic mechanisms for SAML assertions, directly preventing acceptance of malicious injected assertions due to improper cryptographic signature verification.
Mandates secure baseline configuration settings for SAML Sources, including enabling Verify Response Signature and configuring Encryption Certificates to block assertion injection exploits.
Ensures robust management of PKI certificates used for verifying SAML assertion and response signatures, mitigating risks from misconfigured or unverified cryptographic credentials in authentik.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables network exploitation of the public-facing authentik IdP (T1190) via crafted SAML responses that bypass signature checks, directly allowing forgery of SAML tokens/assertions (T1606.002) for unauthorized access.
NVD Description
authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate…
more
setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.
Deeper analysisAI
CVE-2026-25922 is a vulnerability in authentik, an open-source identity provider, affecting versions prior to 2025.8.6, 2025.10.4, and 2025.12.4. It occurs in SAML Sources where the Verify Assertion Signature option is enabled under Verification Certificate without Verify Response Signature, or where the Encryption Certificate setting under Advanced Protocol settings is not configured. In these cases, an attacker can inject a malicious assertion before the legitimate signed assertion, causing authentik to use the injected one instead. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-347 (Improper Verification of Cryptographic Signature).
The vulnerability can be exploited over the network by an attacker with low privileges, requiring low complexity and no user interaction. By crafting and injecting a malicious SAML assertion ahead of the signed one in a SAML response, the attacker causes authentik to process and trust the forged assertion, enabling high-impact compromise of confidentiality, integrity, and availability.
Authentik versions 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue. Additional details are available in the security advisory at https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4 and the release notes at https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6, https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4, and https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4.
Details
- CWE(s)