CVE-2026-42849 CRITICAL

CVE-2026-42849: authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

Vendor Goauthentik

Product authentik

Weakness CWE-79 · XSS

Published June 2, 2026

Last update June 3, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3.

Key dates

02Disclosure timeline

June 2, 2026 CVE published

June 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42849 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-42849

CWE CWE-79

CVSS 9.3 / CRITICAL

Affected versions

Vendor Goauthentik

Product authentik

Affected < 2025.12.5

Vendor Goauthentik

Product authentik

Affected < 2026.2.3

CVE-2026-42849: authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

01Description

02Disclosure timeline

03References

04Related CVE