CVE-2026-47201: authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

May 29, 2026 (updated June 9, 2026)

authentik’s SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user.

References

github.com/advisories/GHSA-c3m2-jqmq-pvp3
github.com/goauthentik/authentik/commit/a370d76d23c7de0fceed064ca322e33e6ebf0119
github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3
nvd.nist.gov/vuln/detail/CVE-2026-47201

Code Behaviors & Features

Detect and mitigate CVE-2026-47201 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →