プラットフォーム
go
コンポーネント
authentik
修正版
2021.3.2
2025.10.1
2025.10.1
CVE-2026-25227 is a critical Remote Code Execution (RCE) vulnerability discovered in authentik, an open-source identity provider. This flaw allows authenticated users with specific permissions to execute arbitrary code within the authentik server container. The vulnerability affects versions from 2021.3.1 up to, but excluding, 2025.12.4. A patch is available in version 2025.12.4.
The impact of this vulnerability is severe. An attacker who possesses the 'Can view * Property Mapping' or 'Can view Expression Policy' permission can leverage the test endpoint to execute arbitrary code on the authentik server. This could lead to complete system compromise, including data exfiltration, privilege escalation, and denial of service. The ability to execute arbitrary code within the container environment significantly expands the attack surface and potential damage. This vulnerability shares similarities with other privilege escalation exploits where seemingly benign permissions are abused to gain higher-level access.
CVE-2026-25227 was publicly disclosed on February 12, 2026. Its CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and significant potential impact. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploitation given the required permissions suggests a high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Organizations relying on authentik for identity management, particularly those with delegated permissions configured, are at risk. Shared hosting environments where multiple users have access to authentik instances are especially vulnerable, as a compromised user on one instance could potentially impact others. Legacy authentik deployments with outdated permission configurations are also at increased risk.
• linux / server:
journalctl -u authentik -g 'test endpoint'• linux / server:
ps aux | grep authentik | grep 'test endpoint'• generic web:
curl -I https://<authentik_server>/admin/property-mappings/test• generic web:
curl -I https://<authentik_server>/admin/expression-policies/testdisclosure
patch
エクスプロイト状況
EPSS
0.05% (15% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade authentik to version 2025.12.4 or later. If upgrading is not immediately feasible, consider restricting access to the test endpoint or revoking 'Can view * Property Mapping' and 'Can view Expression Policy' permissions from users who do not absolutely require them. Implement strict network segmentation to limit the potential blast radius in case of compromise. Monitor authentik logs for suspicious activity, particularly requests to the test endpoint from unauthorized users. After upgrading, confirm the fix by attempting to access the test endpoint with a user possessing the affected permissions and verifying that code execution is prevented.
authentik をバージョン 2025.8.6, 2025.10.4 または 2025.12.4、またはそれ以降のバージョンにアップデートしてください。これにより、PropertyMapping テストエンドポイントにおけるコンテキストキーインジェクションによるリモートコード実行の脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25227 is a critical Remote Code Execution vulnerability in authentik, allowing authenticated users with specific permissions to execute arbitrary code on the server.
You are affected if you are running authentik versions 2021.3.1 through 2025.12.4 and have users with 'Can view * Property Mapping' or 'Can view Expression Policy' permissions.
Upgrade to authentik version 2025.12.4 or later. As a temporary workaround, restrict access to the test endpoint or revoke the vulnerable permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the authentik security advisory on their official website: [https://github.com/authentikapp/authentik/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual URL when available)
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。