Description

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

INFO

Published Date :

2026-02-12T19:25:26.932Z

Last Modified :

2026-02-17T15:43:53.801Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25227 vulnerability.

Vendors Products
Goauthentik
  • Authentik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25227.

URL Resource
https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80 cve-icon cve-icon
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4 cve-icon cve-icon
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4 cve-icon cve-icon
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6 cve-icon cve-icon
https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact