authentik SAML Source Signature Verification Bypass Vulnerability

A vulnerability exists in authentik, an open-source identity provider, prior to versions 2025.8.6, 2025.10.4, and 2025.12.4. The issue arises when a SAML Source has the 'Verify Assertion Signature' option enabled without 'Verify Response Signature', or lacks the 'Encryption Certificate' setting under Advanced Protocol settings. In these scenarios, an attacker could inject a malicious assertion before the legitimate signed assertion, which authentik would then use. Exploitation could allow authentication as any existing user, depending on the source's configuration.

Impact

Exploitation of this vulnerability could lead to unauthorized authentication as any existing user, depending on the SAML source configuration.

Remediation

Users can upgrade to authentik versions 2025.8.6, 2025.10.4, or 2025.12.4 to address this vulnerability. For those unable to upgrade, a workaround involves configuring the SAML Source to verify response signatures or use an encryption certificate. If neither option is available, a property mapping expression can be added to the SAML source to detect duplicate assertions.