CVE-2026-40172: CWE-269: Improper Privilege Management in goauthentik authentik
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-40172) in authentik allows users who have permission to change a user to escalate privileges by assigning superuser groups via the UserSerializer in the PATCH /api/v3/core/users/{pk}/ API endpoint. This occurs because the API does not enforce the enable_group_superuser requirement, which is otherwise enforced in group-management paths. Consequently, delegated user-management permissions can be abused to grant administrator-level privileges. The flaw affects authentik versions before 2025.12.5 and versions from 2026.2.0-rc1 through 2026.2.2. The issue is resolved in versions 2025.12.5 and 2026.2.3.
Potential Impact
An attacker with change_user permission on a target user can escalate privileges by assigning superuser groups to that user, effectively gaining administrator-equivalent access. This compromises the integrity and security of the authentik identity provider environment. The vulnerability has a CVSS 3.1 score of 8.1 (high severity), indicating high impact on integrity and availability without requiring user interaction and with low attack complexity.
Mitigation Recommendations
Upgrade authentik to version 2025.12.5 or later, or to version 2026.2.3 or later, where this vulnerability is fixed. There is no indication of any temporary workaround or alternative mitigation. Patch status is confirmed fixed in these versions.
CVE-2026-40172: CWE-269: Improper Privilege Management in goauthentik authentik
Description
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-40172) in authentik allows users who have permission to change a user to escalate privileges by assigning superuser groups via the UserSerializer in the PATCH /api/v3/core/users/{pk}/ API endpoint. This occurs because the API does not enforce the enable_group_superuser requirement, which is otherwise enforced in group-management paths. Consequently, delegated user-management permissions can be abused to grant administrator-level privileges. The flaw affects authentik versions before 2025.12.5 and versions from 2026.2.0-rc1 through 2026.2.2. The issue is resolved in versions 2025.12.5 and 2026.2.3.
Potential Impact
An attacker with change_user permission on a target user can escalate privileges by assigning superuser groups to that user, effectively gaining administrator-equivalent access. This compromises the integrity and security of the authentik identity provider environment. The vulnerability has a CVSS 3.1 score of 8.1 (high severity), indicating high impact on integrity and availability without requiring user interaction and with low attack complexity.
Mitigation Recommendations
Upgrade authentik to version 2025.12.5 or later, or to version 2026.2.3 or later, where this vulnerability is fixed. There is no indication of any temporary workaround or alternative mitigation. Patch status is confirmed fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T19:31:56.015Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10ab42e1370fbb483c56ea
Added to database: 5/22/2026, 7:15:14 PM
Last enriched: 5/22/2026, 7:29:51 PM
Last updated: 5/23/2026, 8:12:57 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.