CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
goauthentik · authentik¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →