Authentik Source Stage Bypass Vulnerability

A vulnerability in authentik, an open-source identity provider, allows for bypassing the Source stage in authentication flows. This issue is present in versions through 2025.12.5, 2026.2.3, and 2026.5.0. The vulnerability arises because the Source stage can be skipped by sending an empty POST request. When the Source stage is active, the flow executor expects a restore token from the user’s interaction with the identity provider (IdP). However, an empty POST request is accepted as valid, allowing the flow to advance without proper authentication. This bypass can be exploited if the Source stage is part of an authentication flow that requires interaction with an IdP.

Impact

Exploiting this vulnerability allows users to skip the Source stage of authentication, bypassing required credentials and potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, create a flow that includes a Source stage bound to a user login. Start the flow and submit an identification challenge. Once the flow reaches the Source stage, send an empty POST request instead of authenticating through the IdP. The response will indicate that the Source stage has been bypassed, as the user will be authenticated without having presented any credentials.

Remediation

Users should update to authentik versions 2025.12.6, 2026.2.4, or 2026.5.1, where this vulnerability has been patched.