CVE-2026-42849— authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
Possible ATT&CK Techniques 1AI
T1059.007 · JavaScriptGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42849
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
Source: NVD (National Vulnerability Database)
Vulnerability Description
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| goauthentik | authentik | < 2025.12.5 | - |
II. Public POCs for CVE-2026-42849
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7419 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-42849
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-42849 (1)
- 🔗 Reflected XSS in SFE · Advisory · goauthentik/authentik · GitHub Read full article x_refsource_CONFIRM
Same Patch Batch · goauthentik · 2026-06-02 · 6 CVEs total
| CVE-2026-49448 | 9.8 CRITICAL | authentik: SourceStage bypass via empty POST |
| CVE-2026-49443 | 8.8 HIGH | authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable th |
| CVE-2026-47201 | 8.5 HIGH | authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary fe |
| CVE-2026-41577 | authentik: SAML source does not validate Conditions, timing, or audience on assertions | |
| CVE-2026-41569 | authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to att |
IV. Related Vulnerabilities
Same product: authentik
- CVE-2026-49448
authentik: SourceStage bypass via empty POST - CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConne - CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-41569
authentik: WS-Federation wreply origin bypass can exfiltrate - CVE-2026-41577
authentik: SAML source does not validate Conditions, timing,
Same vendor: goauthentik
- CVE-2026-49448
authentik: SourceStage bypass via empty POST - CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConne - CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-41569
authentik: WS-Federation wreply origin bypass can exfiltrate - CVE-2026-41577
authentik: SAML source does not validate Conditions, timing,
Same weakness: CWE-79
- CVE-2026-35212
OpenCTI has XSS in the rendering of email-message observable - CVE-2026-5385
GLPI 11.0.0 - Stored XSS in knowledge base - CVE-2026-33245
React Router vulnerable to XSS in unstable RSC redirect hand - CVE-2026-33244
React Router has stored XSS via unescaped Location header in - CVE-2026-28116
WordPress Progress Planner plugin <= 1.9.0 - Cross Site Scri
V. Comments for CVE-2026-42849
No comments yet