mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 18:07:15 +02:00
c880c9f4ab
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
# CVE-2026-25227
|
|
|
|
_Reported by [@rahulgovind](https://github.com/rahulgovind)_
|
|
|
|
## Authenticated Remote Code Execution via Policy/Property Mapping test endpoint
|
|
|
|
### Summary
|
|
|
|
When using delegated permissions, a User that has the permission **Can view \* Property Mapping** or **Can view Expression Policy** is able to execute arbitrary code within the authentik server container through the `test` endpoint, which is intended to preview how a property mapping/policy works.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue; for other versions the workaround below can be used.
|
|
|
|
### Impact
|
|
|
|
Users with the view permissions specified above are able to execute arbitrary code that has access to the entire authentik database as well as any environment variables, allowing the user to escalate their permissions and fully take over an instance.
|
|
|
|
### Workarounds
|
|
|
|
If an upgrade is not possible, it is strongly recommended to un-assign the **Can view \* Property Mapping** and **Can view Expression Policy** permissions from any user that should not have administrative privileges, and treat them equal to the edit equivalent permissions.
|
|
|
|
It is also possible to block requests to the test endpoint, which have the following URLs:
|
|
|
|
(:uuid is a placeholder for any UUID.)
|
|
|
|
```
|
|
POST /api/v3/propertymappings/all/:uuid/test/
|
|
POST /api/v3/policies/all/:uuid/test/
|
|
```
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|