Jmecom

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2026.2.3 **Description** The WS-Federation provider in this open-source identity provider validates the user-supplied `wreply` parameter using a raw string prefix check instead of proper URL parsing. An attacker can craft a login link with a `wreply` value from a different origin that bypasses this check, leading the victim's browser to POST the signed WS-Federation login response to infrastructure controlled by the attacker. **Recommendations** Update to version 2026.2.3.