CVE-2026-49448
authentik: SourceStage bypass via empty POST
9.8
CRITICAL
CVSS 3.1
Description
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
How to fix CVE-2026-49448
To remediate CVE-2026-49448, upgrade the affected package to a fixed version below.
- Bitnami/authentik—upgrade to 2025.12.6 or later
Is CVE-2026-49448 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49448.
Affected packages (1)
- from 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |