Cyber Resilience

CVE-2026-47201

HighUpdated

Published: 02 June 2026

Published
02 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0016 5.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-47201 is a high-severity Improper Input Validation (CWE-20) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse…

more

a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of the public SAML ACS endpoint via signature validation bypass enables unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25922Same product: Goauthentik Authentik
CVE-2025-29928Same product: Goauthentik Authentik
CVE-2026-49443Same product: Goauthentik Authentik
CVE-2026-25748Same product: Goauthentik Authentik
CVE-2026-25227Same product: Goauthentik Authentik
CVE-2026-42849Same product: Goauthentik Authentik
CVE-2026-49448Same product: Goauthentik Authentik
CVE-2026-33894Shared CWE-20, CWE-347
CVE-2025-29814Shared CWE-20
CVE-2026-21864Shared CWE-20

Affected Assets

goauthentik
authentik
≤ 2025.12.6 · 2026.2.0 — 2026.2.4 · 2026.5.0 — 2026.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

References