CVE-2026-41569

UNKNOWN 0.0

authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

15th

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.

CWE	CWE-601
Vendor	goauthentik
Product	authentik
Published	Jun 2, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for goauthentik authentik

Be the first to know when new unknown vulnerabilities affecting goauthentik authentik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

goauthentik / authentik

< 2026.2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3