CVE-2026-41569

authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints

Assigner: GitHub_M
Reserved: 21.04.2026 Published: 02.06.2026 Updated: 03.06.2026

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	goauthentik
Product	authentik
Versions	Version < 2026.2.3 is affected

Vendor

goauthentik

Product

authentik

Versions

Version < 2026.2.3 is affected

References

Problem Types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE

CVE-2026-41569 PUBLISHED

authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints

Metrics

Product Status

References

Problem Types