CVE-2026-42849 — authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

Description

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.

How to fix CVE-2026-42849

To remediate CVE-2026-42849, upgrade the affected package to a fixed version below.

Bitnami/authentik—upgrade to 2025.12.5 or later

Is CVE-2026-42849 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-42849.

Affected packages (1)

from 0, < 2025.12.5, >= 2026.0.0, < 2026.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References (2)

WEBgithub.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3
WEBnvd.nist.gov/vuln/detail/CVE-2026-42849