QwikSec

Security Database

CVE

CWE

Training

CVE-2026-25922

Published: Feb 12, 2026

Modified: Feb 17, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

Vendor	Product	Versions
goauthentik	authentik	affected `< 2025.8.6` affected `>= 2025.10.0-rc1, < 2025.10.4` affected `>= 2025.10.0-rc1, < 2025.12.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-jh35-c4cc-wjm4

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4

x_refsource_MISC

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4

x_refsource_MISC

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.