返回列表

authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

CVE-2026-47201RCE2026-05-29

漏洞描述

### Summary authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. ### Patches authentik 2026.5.1, 2026.2.4 and 2025.12.6 fix this issue. ### Impact Affected: authentik deployments using a SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions. Not affected: deployments that do not use SAML Source for upstream SAML federation. The SAML Source trusts that the verified XML signature belongs to the assertion or response that authentik later consumes. A crafted SAML response can make signature verification succeed against the attacker's original signed assertion while authentik reads identity data from a different forged assertion. An attacker first completes a legitimate login to the upstream IdP and captures the signed SAML response sent through their browser. They then submit a modified response to the ACS endpoint where the valid signature still verifies, but the consumed assertion contains a victim identifier or attacker-chosen attributes. The attacker can authenticate as a victim who has previously used the SAML Source, or as a local user matched by forged email or username when those matching modes are enabled. ### Workarounds Disable affected SAML Sources, or block access to their ACS endpoints. ### For more information If there are any questions or comments about this advisory: - Send an email to [security@goauthentik.io](mailto:security@goauthentik.io) Source Code Location: https://github.com/goauthentik/authentik Affected Packages: - go:goauthentik.io, affected < 0.0.0-20260528144335-a370d76d23c7, patched in 0.0.0-20260528144335-a370d76d23c7 CWEs: - CWE-287: Improper Authentication CVSS: - Primary: score 8.5, CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H - CVSS_V3: score 8.5, CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H References: - https://github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3 - https://github.com/goauthentik/authentik/commit/a370d76d23c7de0fceed064ca322e33e6ebf0119 - https://github.com/advisories/GHSA-c3m2-jqmq-pvp3

查看原文