PT-2026-42827 · Authentik · Authentik

Published

2026-05-22

·

Updated

2026-06-01

·

CVE-2026-40172

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions 2026.2.0-rc1 through 2026.2.2
Description The 'PATCH /api/v3/core/users/{pk}/' API allows a caller with change user permissions on a target user to assign arbitrary groups via UserSerializer. This includes groups where is superuser is set to True, without requiring the enable group superuser permission. This flaw bypasses the stricter permission model used in group-management paths, allowing delegated user-management permissions to escalate target users to administrator-equivalent privileges. Consequently, users authorized to update groups or users can elevate their own privileges or those of others to superuser status. Real-world incidents of elevated activities targeting the software have been observed.
Recommendations Update versions prior to 2025.12.5 to 2025.12.5. Update versions 2026.2.0-rc1 through 2026.2.2 to 2026.2.3.

Exploit

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-AUTHENTIK-2026-40172
CVE-2026-40172
GHSA-H6X7-HJJC-WJC9

Affected Products

Authentik