CVE-2026-49443 | THREATINT

Description

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.

PUBLISHED Reserved 2026-05-30 | Published 2026-06-02 | Updated 2026-06-03 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-287: Improper Authentication

Product status

< 2025.12.6

affected

< 2026.2.4

affected

< 2026.5.1

affected

References

github.com/...hentik/security/advisories/GHSA-wr38-7xg8-fqxr exploit

github.com/...hentik/security/advisories/GHSA-wr38-7xg8-fqxr

cve.org (CVE-2026-49443)

nvd.nist.gov (CVE-2026-49443)

Download JSON