A critical authentication bypass in the authentik identity provider allows unauthenticated attackers to potentially gain unauthorized access to protected services.

The vulnerability exists in the Source stage of the authentik identity provider. An unauthenticated attacker can bypass the intended authentication flow simply by submitting an empty POST request, effectively circumventing identity verification.

With a CVSS score of 9.8, this flaw is extremely critical as it undermines the foundation of identity and access management. Unauthorized access to the identity provider can lead to a complete compromise of all downstream applications integrated with authentik, resulting in massive data breaches and loss of control over organizational resources.

Immediate Action: Upgrade all instances of authentik to versions 2025.12.6, 2026.2.4, 2026.5.1, or later immediately.

Proactive Monitoring: Review authentication logs for anomalous login patterns or spikes in empty POST requests targeting the Source stage.

Compensating Controls: Implement additional network-level access controls or WAF rules to block malformed or unexpected requests directed at the identity provider's authentication endpoints.

Public Exploit Available: Unknown

This vulnerability is a high-severity authentication bypass that should be remediated immediately. Given that it affects the identity provider, any delay in patching significantly increases the risk of unauthorized access across the entire integrated application ecosystem.