CVE-2026-49443

HIGH8.8

authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API

發布日:2026/6/5修改日:2026/6/5

也稱為:BIT-authentik-2026-49443

描述

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

受影響套件(1)

Bitnami/authentikfrom 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(2)

WEBhttps://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-49443