Skip to main content

CVE-2026-55106 / GHSA-h8ff-c3h7-2gf8

Reported by @geo-chen

LDAP Source debug endpoint accessible without authorization

Summary

A diagnostic action on LDAP Sources did not enforce the read-authorization check applied across the rest of the API, allowing any client, including unauthenticated ones, to retrieve directory information from a configured LDAP Source.

Patches

authentik 2026.5.5 and 2026.2.6 fix this issue.

Impact

Affected: deployments with one or more LDAP Sources configured. Not affected: deployments without a configured LDAP Source.

A diagnostic action on the LDAP Source API omitted the object-level permission filter that the API relies on to authorize read access, so the check that should restrict it to callers holding view permission on the source was never applied.

As a result, any party able to reach the API, including unauthenticated clients, could invoke the action against a configured source. This causes the server to connect to the upstream directory using the source's configured bind credentials and return a bounded set of directory entries. The exposed data is limited to the distinguished names of those entries and the names of the attributes present on them, revealing directory structure, naming conventions, and the existence of specific accounts and groups, but not the values of those attributes.

Workarounds

Restrict external access to the LDAP Source debug API endpoint at the reverse proxy or ingress until upgrading to a fixed version.

For more information

If you have any questions or comments about this advisory: