High

XML Signature Wrapping in authentik SAML Source ACS endpoint

IdentifiersCVE-2026-47201CWE-20· Improper Input Validation

CVE-2026-47201 is an XML Signature Wrapping vulnerability in authentik, an open-source identity provider. The flaw affects the SAML Source Assertion Consumer Service (ACS) endpoint when validating upstream SAML responses. In affected versions, an attacker can abuse improper validation of signed XML content in a SAML response so that a valid signed assertion is reused or wrapped in a way that causes authentik to accept authentication data for a different federated user than the one originally asserted. According to the advisory, an attacker with any account at the upstream identity provider can leverage a valid signed assertion to authenticate as another federated user. Affected versions are authentik releases prior to 2025.12.5, 2026.2.3, and 2026.5.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows authentication bypass/identity impersonation in federated SAML login flows. An attacker who has a valid account at the upstream IdP can authenticate to authentik as another federated user by reusing a valid signed assertion. This can result in unauthorized access to the victim user's account and any applications, data, or privileges reachable through authentik-backed single sign-on. The supplied CVSS vector also indicates potential high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting affected SAML Source integrations until upgrades can be applied, limiting which upstream IdP accounts can authenticate, and closely monitoring federated login activity for anomalous assertion reuse or unexpected cross-user authentication events. Because the flaw is in SAML response validation, mitigation short of patching is limited; upgrading is the primary corrective action.

Remediation

Patch, then assume compromise.

Upgrade authentik to a fixed release. The issue is patched in versions 2025.12.5, 2026.2.3, and 2026.5.1. Organizations should update to the appropriate patched version for their deployment branch and ensure all authentik instances handling SAML Source ACS traffic are running a fixed build.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoauthentikAuthentikapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 2, 2026

CVE-2026-47201 - authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

An XML Signature Wrapping vulnerability in authentik's SAML Source ACS endpoint that can allow an attacker with an account at the upstream IdP to reuse a valid signed assertion and authenticate as another federated user.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-47201

NVD

nvd.nist.gov/vuln/detail/CVE-2026-47201

MITRE CWE · CWE-20

Improper Input Validation

Vendor Advisory

github.com/goauthentik/authentik/security/advisories/GHSA-c3m2-jqmq-pvp3