HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49443Published Modified CNA GitHub_M

CVE-2026-49443: authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in authentik, an open-source identity provider. An authenticated attacker with a low-privilege account and the ability to modify a source connection can reassign the `UserSourceConnection.user` or `GroupSourceConnection.group` fields through the API, then use that manipulated connection to authenticate as any other account in the system. Successful exploitation gives the attacker full access to any target account, including reading, modifying, and disrupting data or services associated with that account. Patched-image rebuilds at versions 2025.12.6, 2026.2.4, and 2026.5.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49443 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle authentik. Any image whose authentik version falls below the patched thresholds (2025.12.6, 2026.2.4, or 2026.5.1) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH based on the published v3.1 vector and surfaces it accordingly in each customer's findings feed. Per-environment compliance policy weighting is applied, and the finding is routed to the inbox or team responsible for identity and access management workloads within the customer org.

Available
Patch

Patched-image rebuilds based on authentik versions 2025.12.6, 2026.2.4, and 2026.5.1 are available on HarborGuard for any environment running an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the appropriate fix version, runs a regression test suite against the new image, and opens a pull request against the affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The authentik API must be reachable over the network; an attacker sends crafted API requests from a remote host to manipulate source connection records.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege account in one of the configured sources; any ordinary user account is sufficient to trigger the vulnerability.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker operates entirely through their own API calls.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: no race condition, memory layout dependency, or special environmental state is required beyond having an account and API access.

Blast Radius

  • Reads the full session and profile data of any account in the authentik instance, including credentials, tokens, and group memberships.
  • Modifies account settings, group assignments, and application permissions for any user the attacker impersonates.
  • Disrupts services that rely on authentik for authentication by locking out or altering the accounts of legitimate users.
  • Provides a pivot point for lateral movement into any downstream application that trusts authentik as its identity provider.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against scanned images within minutes of ingestion, and rebuild availability is tied to the upstream fix versions (2025.12.6, 2026.2.4, and 2026.5.1). For customers who opt into auto-remediation, HarborGuard builds a patched image at the appropriate fix version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding appears in the findings feed with CVSS 8.8 severity for manual review and prioritization. As an immediate compensating control while a patched image is staged, consider restricting API access to the source connection endpoints via network policy (limiting ingress to trusted internal CIDRs only), auditing existing source connection records for unexpected user or group field values, and reviewing authentik application-level feature flags that govern API write permissions for low-privilege accounts.

See how HarborGuard automates this
Affected packages
  • goauthentik / authentik
    < 2025.12.6 · < 2026.2.4 · < 2026.5.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References