CVE-2026-57580 / GHSA-35v6-hv2g-6992
Reported by @XlabAITeam, @vcth4nh, @ericchiang, @LHeiakim
Account Takeover via SAML NameID Comment Truncation
Summary
On a SAML Source that matches users by username or email, an attacker who inserts an XML comment into a validly signed assertion can bind their external identity to an existing account and authenticate as that user.
Patches
authentik 2026.5.5 and 2026.2.6 fix this issue.
Impact
Only inbound SAML Sources configured with the non-default USERNAME_LINK or EMAIL_LINK user-matching mode and signed assertions are affected. Sources using the default unique-identifier matching mode are not affected, and the SAML Provider role (issuing assertions to downstream applications) is not affected.
Exploitation requires an attacker who has an account on the source IdP and can set their own NameID. Injecting a comment into the NameID truncates the value used to match accounts to the text before the comment, while the signed assertion stays valid, so a NameID crafted to truncate to a victim's username or email matches that existing account.
This grants full takeover of any account the attacker can target, without the victim's password or the IdP's private key. The link persists, so later logins succeed without the comment.
Workarounds
Add a SAML Source property mapping that rejects any assertion whose NameID or attribute values contain an XML comment. This blocks the attack without changing how identities are linked.
Alternatively, switch affected SAML Sources to the default unique-identifier user-matching mode, which uses the full NameID and is not exploitable. This changes how external identities are matched to local accounts.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]