mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 18:07:15 +02:00
97b6c9533f
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
37 lines
1.3 KiB
Markdown
37 lines
1.3 KiB
Markdown
# CVE-2026-25922
|
|
|
|
_Reported by [@odgrso](https://github.com/odgrso)_
|
|
|
|
## Signature Verification bypass in SAML Source Assertion
|
|
|
|
### Summary
|
|
|
|
When using a SAML Source that has the option **Verify Assertion Signature** under **Verification Certificate** enabled and not **Verify Response Signature**, or does not have the **Encryption Certificate** setting under **Advanced Protocol settings** configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue, for other versions the workaround below can be used.
|
|
|
|
### Impact
|
|
|
|
Depending on configuration of the source it is possible to authenticate as any existing user.
|
|
|
|
### Workarounds
|
|
|
|
Configure the SAML Source to enable **Verify Response Signature** or the **Encryption Certificate** if possible.
|
|
|
|
If this isn't possible, add this property mapping expression on the SAML source to detect duplicate assertions:
|
|
|
|
```python
|
|
assertions = root.findall("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
|
|
if len(assertions) > 1:
|
|
raise ValueError("Multiple assertions found")
|
|
return {}
|
|
```
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|