CVE-2026-49448 – Authentication Bypass – authentik Identity Provider prior to 2025.12.6 / 2026.2….

## Summary

**CVE-2026-49448** is a critical authentication bypass vulnerability (CVSS 9.8) in **authentik**, an open-source identity provider (IdP) developed by goauthentik. The flaw resides in the Source stage of authentik’s authentication flow pipeline, which can be completely bypassed by submitting an empty HTTP POST request, allowing an unauthenticated remote attacker to skip the authentication step entirely and advance through the flow without completing identity verification. All versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 are affected.

### Technical details

– **Root cause:** In `SourceStageView.dispatch()`, when a POST request is received without a restore token, execution falls through to `super().dispatch()` → Django `View.dispatch()` → `ChallengeStageView.post()`. Because `ChallengeResponse(data={}).is_valid()` returns `True` even with an empty request body, `challenge_valid()` is called and `stage_ok()` advances the authentication flow — fully bypassing the Source stage without any identity verification having occurred. The vulnerability is classified as CWE-287 (Improper Authentication).
– **Trigger condition:** A Source stage must be bound to a flow and the configured source must expose a `ui_login_button`. Any unauthenticated attacker who can reach the Source stage endpoint over the network can trigger the bypass with a single empty POST request.
– **Attack vector:** Unauthenticated network request — no credentials, session tokens, or prior access required (AV:N/AC:L/PR:N/UI:N).
– **Impact:** Full authentication bypass against an identity provider. An attacker who successfully exploits this vulnerability can skip the Source stage entirely and gain unauthorized access to all downstream applications and resources protected by the affected authentik instance, with high confidentiality, integrity, and availability impact.

### Affected software

– authentik all versions prior to **2025.12.6** (2025.12.x branch — versions ≤ 2025.12.5)
– authentik all versions prior to **2026.2.4** (2026.2.x branch — versions ≤ 2026.2.3)
– authentik all versions prior to **2026.5.1** (2026.5.x branch — versions ≤ 2026.5.0)

### Severity

– **CVSS v3.1 Base Score:** 9.8 (Critical)
– **Vector String:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`

### Mitigation and recommended actions

– **Immediate action — upgrade to a patched release:**
– Branch 2025.12.x → upgrade to **2025.12.6** or later
– Branch 2026.2.x → upgrade to **2026.2.4** or later
– Branch 2026.5.x → upgrade to **2026.5.1** or later
– **If immediate patching is not feasible:** No official workarounds are documented by the vendor. As a temporary compensating control, restrict network access to the authentik instance to trusted sources only and ensure Source stage login flow endpoints are not reachable from untrusted networks while patching is scheduled.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References:

• CVE-2026-49448 at NIST
• Vendor Security Advisory (GHSA-xp7f-xjjx-gwm8)