# CVE-2026-25922

_Reported by [@odgrso](https://github.com/odgrso)_

## Signature Verification bypass in SAML Source Assertion

### Summary

When using a SAML Source that has the option **Verify Assertion Signature** under **Verification Certificate** enabled and not **Verify Response Signature**, or does not have the **Encryption Certificate** setting under **Advanced Protocol settings** configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead.

### Patches

authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue, for other versions the workaround below can be used.

### Impact

Depending on configuration of the source it is possible to authenticate as any existing user.

### Workarounds

Configure the SAML Source to enable **Verify Response Signature** or the **Encryption Certificate** if possible.

If this isn't possible, add this property mapping expression on the SAML source to detect duplicate assertions:

```python
assertions = root.findall("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
if len(assertions) > 1:
  raise ValueError("Multiple assertions found")
return {}
```

### For more information

If you have any questions or comments about this advisory:

- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).