How is CVE-2026-49448 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the authentik service via HTTP/HTTPS. Authentication (not-required): No credentials of any kind are needed; the bypass works against the unauthenticated Source stage flow. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploit complexity is low: the attack requires only an empty POST request and is reliable without any race conditions or special environmental prerequisites.

What is the impact of CVE-2026-49448?

A successful attacker bypasses identity verification entirely, gaining unauthorized access to accounts or sessions protected by the Source stage. With full integrity impact, the attacker can create, modify, or delete identity records, OAuth tokens, or provider configurations. With full confidentiality impact, the attacker reads stored credentials, session tokens, user profile data, and any secrets managed by the identity provider. With full availability impact, the attacker disrupts or crashes the authentication service, blocking legitimate users from logging in.

Back to search

CRITICALCVE-2026-49448Published 2026-06-02Modified 2026-06-03CNA GitHub_M

CVE-2026-49448: authentik: SourceStage bypass via empty POST

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass vulnerability exists in authentik, an open-source identity provider. The flaw is reachable over the network with no credentials required and no user interaction needed, allowing an attacker to skip the Source stage entirely by sending an empty HTTP POST request. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are confirmed upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images, in connected registries and CI/CD pipelines. Any image carrying an affected version of authentik is flagged automatically on first scan or re-scan after ingestion.

Available

Triage

HarborGuard is capable of scoring this finding at its full CVSS v3.1 severity of 9.8 (CRITICAL) and weighting it against each environment's compliance policy to determine escalation priority. Findings at this severity are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the authentik service via HTTP/HTTPS.
AuthenticationNot required
No credentials of any kind are needed; the bypass works against the unauthenticated Source stage flow.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploit complexity is low: the attack requires only an empty POST request and is reliable without any race conditions or special environmental prerequisites.

Blast Radius

A successful attacker bypasses identity verification entirely, gaining unauthorized access to accounts or sessions protected by the Source stage.
With full integrity impact, the attacker can create, modify, or delete identity records, OAuth tokens, or provider configurations.
With full confidentiality impact, the attacker reads stored credentials, session tokens, user profile data, and any secrets managed by the identity provider.
With full availability impact, the attacker disrupts or crashes the authentication service, blocking legitimate users from logging in.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix version has been published. Until a patch is released, HarborGuard surfaces affected images with a CRITICAL severity flag so teams can apply compensating controls, such as network-policy rules that restrict access to the authentik Source stage endpoint to trusted internal CIDRs only, egress filtering to limit lateral movement if a bypass occurs, and feature-flag or policy gating to disable the Source stage flow where operationally feasible. The moment goauthentik publishes a fix at versions 2025.12.6, 2026.2.4, or 2026.5.1, a patched-image rebuild becomes available on HarborGuard. For customers with auto-remediation enabled, the rebuild is followed by a regression test run and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

goauthentik / authentik
< 2025.12.6 · < 2026.2.4 · < 2026.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8

Metrics

Get notified