Goauthentik Vulnerabilities
Comprehensive security vulnerability database for Goauthentik products
3
0
1
3
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-25922 | 8.8 | An attacker can inject a harmful authentication message into the authentik identity provider, potentially allowing them to impersonate a legitimate user. This can happen if the system is configured to verify the signature of the assertion but not the response, or if it lacks proper encryption settings. | goauthentikauthentik | Theoretical | 8 days agoFeb 12, 2026 |
| CVE-2026-25748 | 7.5 | This vulnerability allows an attacker to bypass authentication and gain unauthorized access to systems using the authentik identity provider when it is set up with certain reverse proxies like Traefik or Caddy. This can happen if the attacker sends a specially crafted cookie, allowing them to access resources without proper credentials, but it only affects versions prior to the specified updates. | goauthentikauthentik | Exploit Available | 8 days agoFeb 12, 2026 |
| CVE-2026-25227 | 7.2 | This vulnerability allows an attacker with specific permissions to run arbitrary code on the authentik server, potentially taking control of the system. It affects versions from 2021.3.1 up to just before 2025.8.6, 2025.10.4, and 2025.12.4, and requires the attacker to have permission to view certain property mappings or policies. | goauthentikauthentik | Theoretical | 8 days agoFeb 12, 2026 |
About Goauthentik Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Goauthentik products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.