CVE-2026-25227

Authenticated Remote Code Execution via Policy/Property Mapping test endpoint

Summary

When using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works.

Patches

authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue; for other versions the workaround below can be used.

Impact

Users with the view permissions specified above are able to execute arbitrary code that has access to the entire authentik database as well as any environment variables, allowing the user to escalate their permissions and fully take over an instance.

Workarounds

If an upgrade is not possible, it is strongly recommended to un-assign the Can view * Property Mapping and Can view Expression Policy permissions from any user that should not have administrative privileges, and treat them equal to the edit equivalent permissions.

It is also possible to block requests to the test endpoint, which have the following URLs:

(:uuid is a placeholder for any UUID.)

POST /api/v3/propertymappings/all/:uuid/test/
POST /api/v3/policies/all/:uuid/test/

For more information

If you have any questions or comments about this advisory:

Email us at [email protected].

Authenticated Remote Code Execution via Policy/Property Mapping test endpoint​

Summary​

Patches​

Impact​

Workarounds​

For more information​