CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
| CWE | CWE-287 |
| Vendor | goauthentik |
| Product | authentik |
| Published | Jun 2, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for goauthentik authentik
Be the first to know when new high vulnerabilities affecting goauthentik authentik are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
goauthentik / authentik
< 2025.12.6 < 2026.2.4 < 2026.5.1