Authentik Identity Provider Source Connection Vulnerability Allowing Account Impersonation

A vulnerability in authentik, an open-source identity provider, allows an attacker with the ability to modify source connections and an account in one of the configured sources to log into any account. This issue affects authentik versions prior to 2025.12.6, 2026.2.4, and 2026.5.1. The vulnerability arises because the 'UserSourceConnection.user' and 'GroupSourceConnection.group' fields can be changed through the API, enabling low-privilege attackers to misrepresent users or groups and authenticate as them.

Impact

Exploiting this vulnerability allows attackers to impersonate any user by manipulating source connection data, effectively gaining unauthorized access to accounts, including administrative privileges.

Reproduction

To reproduce this vulnerability, an attacker must have access to an account in a configured source and possess the 'add' or 'change' permissions for user or group source connections. The attacker can then change a source connection to link an admin account with a user account they control, allowing them to log in as the admin.

Remediation

Users should update to authentik versions 2025.12.6, 2026.2.4, or 2026.5.1.