Authenticated users in authentik with limited viewing permissions can achieve remote code execution on the server container, leading to a full compromise of the identity provider.

Users with "Can view * Property Mapping" or "Can view Expression Policy" permissions can execute arbitrary code within the server container. This occurs because the test endpoint, designed for previewing mappings, does not adequately sandbox or restrict code execution.

With a CVSS score of 9.1, this is a critical vulnerability. An attacker who has achieved limited access to the authentik portal can escalate their privileges to the system level, potentially compromising all identity data, secrets, and authentication flows managed by the platform.

Immediate Action: Update authentik to version 2025.8.6, 2025.10.4, 2025.12.4, or later to patch the vulnerable test endpoint.

Proactive Monitoring: Audit logs for unusual activity on the property mapping and policy test endpoints, specifically looking for users attempting to run unauthorized code snippets.

Compensating Controls: Restrict "View" permissions for Property Mappings and Expression Policies to only the most highly trusted administrative users until the patch is applied.

Public Exploit Available: false

Identity providers like authentik are high-value targets. Organizations must apply the recommended security updates immediately to prevent internal or compromised users from escalating their access and compromising the entire authentication infrastructure.