CVE-2026-49443

HIGH8.8

authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API

Published: 6/5/2026Modified: 6/5/2026

Also known as:BIT-authentik-2026-49443

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Affected packages (1)

Bitnami/authentikfrom 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

WEBhttps://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-49443