Plataforma
go
Componente
authentik
Corrigido em
2021.3.2
2025.10.1
2025.10.1
CVE-2026-25227 is a critical Remote Code Execution (RCE) vulnerability discovered in authentik, an open-source identity provider. This flaw allows authenticated users with specific permissions to execute arbitrary code within the authentik server container. The vulnerability affects versions from 2021.3.1 up to, but excluding, 2025.12.4. A patch is available in version 2025.12.4.
The impact of this vulnerability is severe. An attacker who possesses the 'Can view * Property Mapping' or 'Can view Expression Policy' permission can leverage the test endpoint to execute arbitrary code on the authentik server. This could lead to complete system compromise, including data exfiltration, privilege escalation, and denial of service. The ability to execute arbitrary code within the container environment significantly expands the attack surface and potential damage. This vulnerability shares similarities with other privilege escalation exploits where seemingly benign permissions are abused to gain higher-level access.
CVE-2026-25227 was publicly disclosed on February 12, 2026. Its CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and significant potential impact. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploitation given the required permissions suggests a high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Organizations relying on authentik for identity management, particularly those with delegated permissions configured, are at risk. Shared hosting environments where multiple users have access to authentik instances are especially vulnerable, as a compromised user on one instance could potentially impact others. Legacy authentik deployments with outdated permission configurations are also at increased risk.
• linux / server:
journalctl -u authentik -g 'test endpoint'• linux / server:
ps aux | grep authentik | grep 'test endpoint'• generic web:
curl -I https://<authentik_server>/admin/property-mappings/test• generic web:
curl -I https://<authentik_server>/admin/expression-policies/testdisclosure
patch
Status do Exploit
EPSS
0.05% (percentil 15%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade authentik to version 2025.12.4 or later. If upgrading is not immediately feasible, consider restricting access to the test endpoint or revoking 'Can view * Property Mapping' and 'Can view Expression Policy' permissions from users who do not absolutely require them. Implement strict network segmentation to limit the potential blast radius in case of compromise. Monitor authentik logs for suspicious activity, particularly requests to the test endpoint from unauthorized users. After upgrading, confirm the fix by attempting to access the test endpoint with a user possessing the affected permissions and verifying that code execution is prevented.
Atualize authentik para a versão 2025.8.6, 2025.10.4 ou 2025.12.4, ou para uma versão posterior. Isso corrige a vulnerabilidade de execução remota de código através da injeção de chaves de contexto no endpoint de teste de PropertyMapping.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-25227 is a critical Remote Code Execution vulnerability in authentik, allowing authenticated users with specific permissions to execute arbitrary code on the server.
You are affected if you are running authentik versions 2021.3.1 through 2025.12.4 and have users with 'Can view * Property Mapping' or 'Can view Expression Policy' permissions.
Upgrade to authentik version 2025.12.4 or later. As a temporary workaround, restrict access to the test endpoint or revoke the vulnerable permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the authentik security advisory on their official website: [https://github.com/authentikapp/authentik/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual URL when available)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.