PatchSiren cyber security CVE debrief
CVE-2026-40165 goauthentik CVE debrief
CVE-2026-40165 is a high-severity authentication bypass in authentik’s SAML login flow. According to the CVE description, an attacker who already has an account on a SAML Source and can influence their NameID value may be able to inject an XML comment into the NameID field, causing authentik to read only part of the value and potentially map the login to another user’s account. The issue is fixed in authentik versions 2025.12.5 and 2026.2.3.
- Vendor
- goauthentik
- Product
- authentik
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations running authentik with SAML Sources should treat this as urgent, especially if external identity providers let users control their NameID (for example, username or email) and XML signing is enabled. Identity, IAM, SSO, and platform teams should prioritize remediation because the flaw can result in account takeover across users backed by the affected SAML Source.
Technical summary
The vulnerability is an authentication bypass caused by incorrect parsing of the SAML NameID value. By inserting an XML comment into the NameID, an attacker could cause authentik to interpret only the portion of the value before the comment. In affected configurations, that truncation could allow the attacker’s assertion to be matched to a different account. The issue affects authentik versions 2025.12.4 and earlier, and 2026.2.0-rc1 through 2026.2.2. Fixed releases are 2025.12.5 and 2026.2.3.
Defensive priority
High. This is a network-reachable authentication bypass with no user interaction required and potential cross-account impact. Remediation should be prioritized before routine maintenance work.
Recommended defensive actions
- Upgrade authentik to version 2025.12.5 or 2026.2.3, depending on your release track.
- Review every configured SAML Source to determine whether users can influence NameID values such as username or email.
- Confirm that SAML XML signing is configured and operating as intended, and validate that only trusted identity sources are accepted.
- Audit authentik and upstream IdP access logs for unusual account switching, unexpected logins, or suspicious SAML assertion behavior.
- If immediate upgrade is not possible, temporarily restrict or disable the affected SAML Source(s) until patched.
Evidence notes
Based on the supplied CVE description and NVD reference metadata, the issue is an authentication bypass in authentik tied to SAML NameID XML comment injection. The source metadata cites an upstream authentik commit, the 2025.12.5 release, and GitHub Security Advisory GHSA-9wj8-xv4r-qwrp as references. The CVE was published and last modified on 2026-05-21T00:16:28.290Z.
Official resources
Publicly disclosed and published on 2026-05-21. Use the CVE publication time for timeline context; do not infer an earlier issue date from remediation activity or record updates.