CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
8.8
HIGH
CVSS 3.1
Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
How to fix CVE-2026-49443
To remediate CVE-2026-49443, upgrade the affected package to a fixed version below.
- Bitnami/authentik—upgrade to 2025.12.6 or later
Is CVE-2026-49443 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49443.
Affected packages (1)
- from 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |