CVE-2026-25227 CRITICAL

CVE-2026-25227: authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint

Vendor Goauthentik
Product authentik
Weakness CWE-94 · Code injection
Published February 12, 2026
Last update February 17, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 17, 2026 Record updated