CVE-2026-40165

Reported by @kodareef5, @Android-Login-Analysis, and @AyushParkara

SAML Source Fails to Validate Assertion Conditions

Summary

Due to how authentik used to extract the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to get access to other accounts.

Patches

authentik 2025.12.5 and 2026.2.3 fix this issue, for other versions the workaround below can be used.

Impact

This issue can be exploited given an authentik instance with a SAML Source, where the attacker has an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing is enabled. The attacker can modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncates the NameID value to the snippet before the comment, and give the attack access to any user account.

Workarounds

Create a SAML Source property mapping with the following expression and add it to all SAML Sources:

if name_id.text != "".join(name_id.itertext()):
  raise ValueError("Mismatched NameID")
return {}

For more information

If you have any questions or comments about this advisory:

Email us at [email protected].

SAML Source Fails to Validate Assertion Conditions​

Summary​

Patches​

Impact​

Workarounds​

For more information​