平台
go
组件
authentik
修复版本
2021.3.2
2025.10.1
2025.10.1
CVE-2026-25227 is a critical Remote Code Execution (RCE) vulnerability discovered in authentik, an open-source identity provider. This flaw allows authenticated users with specific permissions to execute arbitrary code within the authentik server container. The vulnerability affects versions from 2021.3.1 up to, but excluding, 2025.12.4. A patch is available in version 2025.12.4.
The impact of this vulnerability is severe. An attacker who possesses the 'Can view * Property Mapping' or 'Can view Expression Policy' permission can leverage the test endpoint to execute arbitrary code on the authentik server. This could lead to complete system compromise, including data exfiltration, privilege escalation, and denial of service. The ability to execute arbitrary code within the container environment significantly expands the attack surface and potential damage. This vulnerability shares similarities with other privilege escalation exploits where seemingly benign permissions are abused to gain higher-level access.
CVE-2026-25227 was publicly disclosed on February 12, 2026. Its CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and significant potential impact. While no public proof-of-concept (PoC) has been released as of this writing, the ease of exploitation given the required permissions suggests a high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Organizations relying on authentik for identity management, particularly those with delegated permissions configured, are at risk. Shared hosting environments where multiple users have access to authentik instances are especially vulnerable, as a compromised user on one instance could potentially impact others. Legacy authentik deployments with outdated permission configurations are also at increased risk.
• linux / server:
journalctl -u authentik -g 'test endpoint'• linux / server:
ps aux | grep authentik | grep 'test endpoint'• generic web:
curl -I https://<authentik_server>/admin/property-mappings/test• generic web:
curl -I https://<authentik_server>/admin/expression-policies/testdisclosure
patch
漏洞利用状态
EPSS
0.05% (15% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade authentik to version 2025.12.4 or later. If upgrading is not immediately feasible, consider restricting access to the test endpoint or revoking 'Can view * Property Mapping' and 'Can view Expression Policy' permissions from users who do not absolutely require them. Implement strict network segmentation to limit the potential blast radius in case of compromise. Monitor authentik logs for suspicious activity, particularly requests to the test endpoint from unauthorized users. After upgrading, confirm the fix by attempting to access the test endpoint with a user possessing the affected permissions and verifying that code execution is prevented.
将 authentik 更新到 2025.8.6、2025.10.4 或 2025.12.4 版本,或更高版本。这修复了通过 PropertyMapping 测试端点中的上下文键注入进行远程代码执行的漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25227 is a critical Remote Code Execution vulnerability in authentik, allowing authenticated users with specific permissions to execute arbitrary code on the server.
You are affected if you are running authentik versions 2021.3.1 through 2025.12.4 and have users with 'Can view * Property Mapping' or 'Can view Expression Policy' permissions.
Upgrade to authentik version 2025.12.4 or later. As a temporary workaround, restrict access to the test endpoint or revoke the vulnerable permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the authentik security advisory on their official website: [https://github.com/authentikapp/authentik/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual URL when available)
上传你的 go.mod 文件,立即知道是否受影响。