NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-41577

Summary	authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.
Publication Date	June 3, 2026, 5:16 a.m.
Registration Date	June 4, 2026, 4:15 a.m.
Last Update	June 3, 2026, 5:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-345	データの信頼性についての不十分な検証	https://cwe.mitre.org/data/definitions/345.html