CVE-2026-25922 is an improper authentication vulnerability (CWE-287) in the open-source identity provider authentik, specifically affecting its handling of SAML assertions. The issue occurs when a SAML Source is configured with the 'Verify Assertion Signature' option enabled but not 'Verify Response Signature', or when the 'Encryption Certificate' setting under Advanced Protocol settings is not configured. Under these conditions, an attacker can inject a malicious SAML assertion before the legitimate signed assertion. Due to the flawed verification logic, authentik processes the injected assertion instead of the legitimate one, effectively bypassing authentication controls. This vulnerability allows an attacker to impersonate users or escalate privileges without proper authentication. The flaw impacts authentik versions prior to 2025.8.6, 2025.10.4, and 2025.12.4, which include patches addressing this issue. The CVSS v3.1 base score is 8.8 (high), reflecting network exploitability with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality, integrity, and availability impacts. No known exploits are currently reported in the wild. The vulnerability stems from improper signature verification logic in SAML assertion processing, a critical component in federated identity management. This can lead to unauthorized access to protected resources and compromise of identity assertions, undermining trust in authentication mechanisms.

The impact of CVE-2026-25922 is significant for organizations relying on authentik as their identity provider, especially those using SAML-based authentication. Successful exploitation allows attackers to bypass authentication controls, impersonate legitimate users, and gain unauthorized access to sensitive systems and data. This can lead to data breaches, privilege escalation, and disruption of services. The compromise of identity assertions undermines the integrity of authentication workflows, potentially affecting multiple connected applications and services. Given the high CVSS score, the vulnerability poses a critical risk to confidentiality, integrity, and availability of organizational assets. Enterprises in sectors such as finance, healthcare, government, and technology that use authentik for identity federation and single sign-on are particularly vulnerable. The attack requires network access and some privileges, which may limit exploitation to insiders or attackers who have already gained partial access, but the lack of user interaction requirement increases the threat level. The absence of known exploits in the wild suggests a window for proactive patching before widespread attacks occur.

To mitigate CVE-2026-25922, organizations should immediately upgrade authentik to versions 2025.8.6, 2025.10.4, or 2025.12.4 or later, where the vulnerability is fixed. Review and audit SAML Source configurations to ensure that both 'Verify Assertion Signature' and 'Verify Response Signature' options are enabled, and that the 'Encryption Certificate' setting under Advanced Protocol settings is properly configured. Implement strict validation of SAML assertions and responses to prevent injection of unauthorized assertions. Employ network segmentation and access controls to limit exposure of authentik services to trusted networks and users. Monitor authentication logs for unusual assertion patterns or repeated authentication failures that may indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with rules targeting malformed or suspicious SAML traffic. Conduct regular security assessments and penetration tests focusing on identity provider configurations. Educate administrators on secure SAML configuration best practices to avoid misconfigurations that enable such vulnerabilities. Maintain an incident response plan tailored to identity provider compromises.