The vulnerability identified as CVE-2026-25922 affects the open-source identity provider authentik, specifically in its handling of SAML authentication assertions. In versions prior to 2025.8.6, 2025.10.4, and 2025.12.4, when a SAML Source is configured to verify only the assertion signature (via the 'Verify Assertion Signature' option) but not the response signature, or when the 'Encryption Certificate' setting under Advanced Protocol settings is not configured, authentik fails to properly validate the authenticity of the entire SAML response. This improper authentication (CWE-287) allows an attacker to inject a malicious SAML assertion before the legitimate signed assertion within the SAML response. Due to the verification logic, authentik mistakenly uses the injected malicious assertion instead of the signed one, effectively bypassing authentication controls. This flaw can lead to unauthorized access, privilege escalation, and compromise of user identity integrity. The vulnerability is exploitable remotely without user interaction and requires only low privileges (PR:L), making it relatively easy to exploit in network-exposed environments. The CVSS 3.1 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, as well as the ease of exploitation. The issue was addressed in authentik versions 2025.8.6, 2025.10.4, and 2025.12.4 by correcting the SAML assertion verification process and enforcing stricter validation of signatures and encryption certificates.

For European organizations, this vulnerability poses a significant risk to identity and access management systems that rely on authentik as an identity provider, especially those using SAML for federated authentication. Exploitation could allow attackers to impersonate legitimate users, gain unauthorized access to sensitive systems and data, and potentially move laterally within networks. This threatens the confidentiality of personal and corporate data, the integrity of authentication processes, and the availability of services relying on authentik for access control. Sectors such as finance, healthcare, government, and critical infrastructure that depend on strong identity verification are particularly vulnerable. Given the widespread adoption of open-source IAM solutions in Europe and the increasing use of SAML in enterprise environments, the impact could be broad. Additionally, regulatory frameworks like GDPR impose strict requirements on identity and access controls, so exploitation could lead to compliance violations and financial penalties.

Organizations should immediately upgrade authentik to versions 2025.8.6, 2025.10.4, or 2025.12.4 where the vulnerability is fixed. Beyond patching, administrators must audit SAML Source configurations to ensure that both 'Verify Assertion Signature' and 'Verify Response Signature' options are enabled to enforce comprehensive signature validation. The 'Encryption Certificate' setting under Advanced Protocol settings should be properly configured to prevent unsigned or unencrypted assertions from being accepted. Implement strict monitoring and logging of authentication events to detect anomalous SAML assertions or unexpected authentication flows. Employ network segmentation and access controls to limit exposure of authentik instances to untrusted networks. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block malformed or suspicious SAML responses. Finally, conduct regular security assessments and penetration tests focused on identity provider configurations to proactively identify weaknesses.