CVE-2026-49443 / GHSA-xp7f-xjjx-gwm8
SourceStage bypass via empty POST
Summary
The Source stage can be bypassed by sending an empty POST.
Patches
authentik 2026.5.1, 2026.2.4, and 2025.12.6 fix this issue.
Impact
If a Source stage is bound to a flow and the source exposes a ui_login_button and an attacker can reach the Source stage, they can bypass that stage, effectively skipping authentication at that source.
Workarounds
None. We recommend not using Source stages until upgrading to a suitable version.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]