Skip to main content

CVE-2026-57580 / GHSA-35v6-hv2g-6992

Reported by @XlabAITeam, @vcth4nh, @ericchiang, @LHeiakim

Account Takeover via SAML NameID Comment Truncation

Summary

On a SAML Source that matches users by username or email, an attacker who inserts an XML comment into a validly signed assertion can bind their external identity to an existing account and authenticate as that user.

Patches

authentik 2026.5.5 and 2026.2.6 fix this issue.

Impact

Only inbound SAML Sources configured with the non-default USERNAME_LINK or EMAIL_LINK user-matching mode and signed assertions are affected. Sources using the default unique-identifier matching mode are not affected, and the SAML Provider role (issuing assertions to downstream applications) is not affected.

Exploitation requires an attacker who has an account on the source IdP and can set their own NameID. Injecting a comment into the NameID truncates the value used to match accounts to the text before the comment, while the signed assertion stays valid, so a NameID crafted to truncate to a victim's username or email matches that existing account.

This grants full takeover of any account the attacker can target, without the victim's password or the IdP's private key. The link persists, so later logins succeed without the comment.

Workarounds

Add a SAML Source property mapping that rejects any assertion whose NameID or attribute values contain an XML comment. This blocks the attack without changing how identities are linked.

Alternatively, switch affected SAML Sources to the default unique-identifier user-matching mode, which uses the full NameID and is not exploitable. This changes how external identities are matched to local accounts.

For more information

If you have any questions or comments about this advisory: