diff --git a/authentik/core/api/sources.py b/authentik/core/api/sources.py
index edf37bb33f..a19d533e5d 100644
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@@ -133,6 +133,7 @@ class UserSourceConnectionSerializer(SourceSerializer):
             "last_updated",
         ]
         extra_kwargs = {
+            "user": {"read_only": True},
             "created": {"read_only": True},
             "last_updated": {"read_only": True},
         }
@@ -173,6 +174,7 @@ class GroupSourceConnectionSerializer(SourceSerializer):
             "last_updated",
         ]
         extra_kwargs = {
+            "group": {"read_only": True},
             "created": {"read_only": True},
             "last_updated": {"read_only": True},
         }
diff --git a/website/docs/security/cves/GHSA-wr38-7xg8-fqxr.md b/website/docs/security/cves/GHSA-wr38-7xg8-fqxr.md
new file mode 100644
index 0000000000..617ab27f73
--- /dev/null
+++ b/website/docs/security/cves/GHSA-wr38-7xg8-fqxr.md
@@ -0,0 +1,25 @@
+# GHSA-5wcc-hf24-rf5h
+
+## `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
+
+### Summary
+
+An attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account.
+
+### Patches
+
+authentik 2026.5.1, 2026.2.4, and 2025.12.6 fix this issue.
+
+### Impact
+
+`UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API. This lets attackers with low privilege (`*_usersourceconnection`, `*_group*sourceconnection`) misrepresent users/groups as if they were coming from a specific source, with a specific identifier, then authenticate as the victim through that source and identifier.
+
+### Workarounds
+
+Ensure that `*_usersourceconnection`, `*_group*sourceconnection` permissions are only given to trusted admins.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)