security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-2026.5 (#22731)

authentik/enterprise/stages/source/stage.py

@@ -16,7 +16,7 @@ from authentik.core.sources.flow_manager import (
 )
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.flows.challenge import Challenge, ChallengeResponse
+from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.models import FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_REDIRECTED, PLAN_CONTEXT_IS_RESTORED
 from authentik.flows.stage import ChallengeStageView, StageView
@@ -84,7 +84,8 @@ class SourceStageView(ChallengeStageView):
         return token
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        return self.executor.stage_ok()
+        # Completion happens via dispatch(), not here.
+        return HttpChallengeResponse(self._get_challenge())
 
 
 class SourceStageFinal(StageView):

website/docs/security/cves/GHSA-xp7f-xjjx-gwm8.md

@@ -0,0 +1,27 @@
+<!-- spellchecker:ignore GHSA-xp7f-xjjx-gwm8 -->
+
+# GHSA-xp7f-xjjx-gwm8
+
+## SourceStage bypass via empty POST
+
+### Summary
+
+The Source stage can be bypassed by sending an empty POST.
+
+### Patches
+
+authentik 2026.5.1, 2026.2.4, and 2025.12.6 fix this issue.
+
+### Impact
+
+If a Source stage is bound to a flow and the source exposes a ui_login_button and an attacker can reach the Source stage, they can bypass that stage, effectively skipping authentication at that source.
+
+### Workarounds
+
+None. We recommend not using Source stages until upgrading to a suitable version.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)