CVE-2026-49448

CRITICAL9.8

authentik: SourceStage bypass via empty POST

Published: 6/5/2026Modified: 6/5/2026

Also known as:BIT-authentik-2026-49448

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Affected packages (1)

Bitnami/authentikfrom 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

WEBhttps://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-49448