From b19f43c8e1955dc4f8281df27d8af421e876e2f2 Mon Sep 17 00:00:00 2001 From: "authentik-automation[bot]" <135050075+authentik-automation[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 20:21:58 +0200 Subject: [PATCH] internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-main (#22303) * Automated internal backport of patch CVE-2026-42849.sec.patch to authentik-main * spellcheck Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer --- locale/en/dictionaries/people.txt | 1 + website/docs/security/cves/CVE-2026-42849.md | 27 ++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 website/docs/security/cves/CVE-2026-42849.md diff --git a/locale/en/dictionaries/people.txt b/locale/en/dictionaries/people.txt index 58df44beb8..0f7f84bdcb 100644 --- a/locale/en/dictionaries/people.txt +++ b/locale/en/dictionaries/people.txt @@ -11,3 +11,4 @@ Naur Wärting Aadit Kilby +Kahmen diff --git a/website/docs/security/cves/CVE-2026-42849.md b/website/docs/security/cves/CVE-2026-42849.md new file mode 100644 index 0000000000..2cdae1d7bb --- /dev/null +++ b/website/docs/security/cves/CVE-2026-42849.md @@ -0,0 +1,27 @@ +# CVE-2026-42849 + +_Reported by Jan Kahmen, [turingpoint GmbH](https://turingpoint.de/en/)_ + +## Reflected XSS in SFE + +### Summary + +Due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. + +### Patches + +authentik 2025.12.5 and 2026.2.3 fix this issue. + +### Impact + +The SFE (Simple Flow Executor) was susceptible to an XSS exploit. This could allow an attacker to redirect web requests containing tokens, hijack the session or take other malicious actions. + +This is possible when an OAuth2 provider is configured, either through the redirect_uri when a very broad regex is used, or through the state value. + +The SFE previously used jQuery without explicit sanitization, which, compared to the rest of our interfaces, did not sufficiently protect from malicious input values. + +### For more information + +If you have any questions or comments about this advisory: + +- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).