From 8830a712b04e5a6a02df06b313cb8d78f90d879b Mon Sep 17 00:00:00 2001
From: "authentik-automation[bot]"
 <135050075+authentik-automation[bot]@users.noreply.github.com>
Date: Thu, 28 May 2026 16:39:26 +0200
Subject: [PATCH] security: automated internal backport of patch
 GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-main (#22734)

Automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
---
 authentik/enterprise/stages/source/stage.py   |  5 ++--
 .../docs/security/cves/GHSA-xp7f-xjjx-gwm8.md | 27 +++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 website/docs/security/cves/GHSA-xp7f-xjjx-gwm8.md

diff --git a/authentik/enterprise/stages/source/stage.py b/authentik/enterprise/stages/source/stage.py
index f44b3e4444..93a1a7cb0b 100644
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@@ -16,7 +16,7 @@ from authentik.core.sources.flow_manager import (
 )
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.flows.challenge import Challenge, ChallengeResponse
+from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.models import FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_REDIRECTED, PLAN_CONTEXT_IS_RESTORED
 from authentik.flows.stage import ChallengeStageView, StageView
@@ -84,7 +84,8 @@ class SourceStageView(ChallengeStageView):
         return token
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        return self.executor.stage_ok()
+        # Completion happens via dispatch(), not here.
+        return HttpChallengeResponse(self._get_challenge())
 
 
 class SourceStageFinal(StageView):
diff --git a/website/docs/security/cves/GHSA-xp7f-xjjx-gwm8.md b/website/docs/security/cves/GHSA-xp7f-xjjx-gwm8.md
new file mode 100644
index 0000000000..0fda0640b4
--- /dev/null
+++ b/website/docs/security/cves/GHSA-xp7f-xjjx-gwm8.md
@@ -0,0 +1,27 @@
+<!-- spellchecker:ignore GHSA-xp7f-xjjx-gwm8 -->
+
+# GHSA-xp7f-xjjx-gwm8
+
+## SourceStage bypass via empty POST
+
+### Summary
+
+The Source stage can be bypassed by sending an empty POST.
+
+### Patches
+
+authentik 2026.5.1, 2026.2.4, and 2025.12.6 fix this issue.
+
+### Impact
+
+If a Source stage is bound to a flow and the source exposes a ui_login_button and an attacker can reach the Source stage, they can bypass that stage, effectively skipping authentication at that source.
+
+### Workarounds
+
+None. We recommend not using Source stages until upgrading to a suitable version.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)