CVE-2026-42849

CRITICAL9.3

authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

發布日:2026/6/5修改日:2026/6/5

也稱為:BIT-authentik-2026-42849

描述

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.

受影響套件(1)

Bitnami/authentikfrom 0, < 2025.12.5, >= 2026.0.0, < 2026.2.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

參考連結(2)

WEBhttps://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-42849