216.73.216.89

CVE-2026-41577

· Published 02/06/2026 20:16 · Modified 02/06/2026 20:16

Labels: CVE-2026-41577 2026-06-02CVE-2026-41577CWE-345[email protected]

Essential information

Published
02/06/2026 20:16
Modified
02/06/2026 20:16
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
authentik / authentik cpe:2.3:a:authentik:authentik:<2025.12.5:*:*:*:*:*:*
authentik / authentik cpe:2.3:a:authentik:authentik:2026.2.3:*:*:*:*:*:*

References