PT-2026-42827 · Authentik · Authentik
Published
2026-05-22
·
Updated
2026-06-01
·
CVE-2026-40172
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
authentik versions prior to 2025.12.5
authentik versions 2026.2.0-rc1 through 2026.2.2
Description
The 'PATCH /api/v3/core/users/{pk}/' API allows a caller with
change user permissions on a target user to assign arbitrary groups via UserSerializer. This includes groups where is superuser is set to True, without requiring the enable group superuser permission. This flaw bypasses the stricter permission model used in group-management paths, allowing delegated user-management permissions to escalate target users to administrator-equivalent privileges. Consequently, users authorized to update groups or users can elevate their own privileges or those of others to superuser status. Real-world incidents of elevated activities targeting the software have been observed.Recommendations
Update versions prior to 2025.12.5 to 2025.12.5.
Update versions 2026.2.0-rc1 through 2026.2.2 to 2026.2.3.
Exploit
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Authentik