CVE-2026-25227

Name of the Vulnerable Software and Affected Versions authentik versions 2021.3.1 through 2025.8.6 authentik versions 2025.10.4 authentik versions 2025.12.4

Description authentik is an open-source identity provider. When using delegated permissions, a user with the permission 'Can view * Property Mapping' or 'Can view Expression Policy' can execute arbitrary code within the authentik server container through the test endpoint. This endpoint is intended for previewing how a property mapping or policy works. The issue allows for code execution due to improper access controls on the test endpoint.

Recommendations authentik versions prior to 2025.8.6 should be updated. authentik version 2025.10.4 should be updated. authentik version 2025.12.4 should be updated.