CVE-2026-25922

Reported by @odgrso

Signature Verification bypass in SAML Source Assertion

Summary

When using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead.

Patches

authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue, for other versions the workaround below can be used.

Impact

Depending on configuration of the source it is possible to authenticate as any existing user.

Workarounds

Configure the SAML Source to enable Verify Response Signature or the Encryption Certificate if possible.

If this isn't possible, add this property mapping expression on the SAML source to detect duplicate assertions:

assertions = root.findall("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
if len(assertions) > 1:
  raise ValueError("Multiple assertions found")
return {}

For more information

If you have any questions or comments about this advisory:

Email us at [email protected].

Signature Verification bypass in SAML Source Assertion​

Summary​

Patches​

Impact​

Workarounds​

For more information​