Authentik · Authentik · CVE-2026-41577
**Name of the Vulnerable Software and Affected Versions**
authentik versions prior to 2025.12.5
authentik versions prior to 2026.2.3
**Description**
The SAML source response processor `ResponseProcessor.parse()` fails to validate the Conditions element on assertions. Specifically, `NotBefore`, `NotOnOrAfter`, and `AudienceRestriction` are ignored, which enables the replay of expired assertions and the acceptance of assertions intended for different service providers.
**Recommendations**
Update to version 2025.12.5.
Update to version 2026.2.3.