Platform
go
Component
authentik
Fixed in
2021.3.2
2025.10.1
2025.10.1
CVE-2026-25227 is a critical Remote Code Execution (RCE) vulnerability discovered in authentik, an open-source identity provider. This flaw allows authenticated users with specific permissions to execute arbitrary code within the authentik server container. The vulnerability affects versions from 2021.3.1 up to, but excluding, 2025.12.4. A patch is available in version 2025.12.4.
The impact of this vulnerability is severe. An attacker who possesses the 'Can view * Property Mapping' or 'Can view Expression Policy' permission can leverage the test endpoint to execute arbitrary code on the authentik server. This could lead to complete system compromise, including data exfiltration, privilege escalation, and denial of service. The ability to execute arbitrary code within the container environment significantly expands the attack surface and potential damage. This vulnerability shares similarities with other privilege escalation exploits where seemingly benign permissions are abused to gain higher-level access.
CVE-2026-25227 was publicly disclosed on February 12, 2026. Its CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and significant potential impact. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploitation given the required permissions suggests a high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade authentik to version 2025.12.4 or later. If upgrading is not immediately feasible, consider restricting access to the test endpoint or revoking 'Can view * Property Mapping' and 'Can view Expression Policy' permissions from users who do not absolutely require them. Implement strict network segmentation to limit the potential blast radius in case of compromise. Monitor authentik logs for suspicious activity, particularly requests to the test endpoint from unauthorized users. After upgrading, confirm the fix by attempting to access the test endpoint with a user possessing the affected permissions and verifying that code execution is prevented.
Actualice authentik a la versión 2025.8.6, 2025.10.4 o 2025.12.4, o a una versión posterior. Esto corrige la vulnerabilidad de ejecución remota de código a través de la inyección de claves de contexto en el endpoint de prueba de PropertyMapping.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25227 is a critical Remote Code Execution vulnerability in authentik, allowing authenticated users with specific permissions to execute arbitrary code on the server.
You are affected if you are running authentik versions 2021.3.1 through 2025.12.4 and have users with 'Can view * Property Mapping' or 'Can view Expression Policy' permissions.
Upgrade to authentik version 2025.12.4 or later. As a temporary workaround, restrict access to the test endpoint or revoke the vulnerable permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the authentik security advisory on their official website: [https://github.com/authentikapp/authentik/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual URL when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.