References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-94

https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6

https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f