Skip to main content

CVE-2026-54730 / GHSA-3v9h-3hrm-29cx

Reported by @dhairya7760

Google Chrome device trust stages can be bypassed

Summary

The enterprise Google Chrome device-trust stages advance the flow without confirming that the out-of-band device attestation actually ran. An attacker who can reach such a stage can skip the verification iframe and pass the device-trust gate, completing authentication from a device that was never verified.

Patches

authentik 2026.5.5 and 2026.2.6 fix this issue.

Impact

Affected: enterprise deployments that place a Google Chrome device-trust stage in a flow: either an Endpoint stage backed by a Google Chrome connector set to mode = REQUIRED (present in 2026.5 only), or the deprecated Google Chrome Device Trust Connector (GDTC) stage (present in all supported versions). Not affected: deployments that use neither stage, and Endpoint stages left at the default mode = OPTIONAL, which is not intended to block the flow.

The device attestation happens out-of-band, in a verification iframe that calls Google's Verified Access API and records the verified device on success. The vulnerable stages treat the flow as having passed as soon as the stage is submitted, without confirming that this attestation actually completed.

An attacker who can otherwise reach the stage, for example after completing primary username and password authentication, can therefore satisfy it without any device being attested by Google, and authenticate from a device that was never verified. Where device trust is the only additional factor, that protection is fully bypassed; where other factors are present, those remain in force.

Workarounds

None. We recommend not relying on the Google Chrome Endpoint stage or the GDTC stage as a security control until you upgrade.

For more information

If you have any questions or comments about this advisory: