{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25227", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.327Z", "datePublished": "2026-02-12T19:25:26.932Z", "dateUpdated": "2026-02-17T15:43:53.801Z"}, "containers": {"cna": {"title": "authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f"}, {"name": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80"}, {"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"}, {"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"}, {"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"version": ">= 2021.3.1, < 2025.8.6", "status": "affected"}, {"version": ">= 2025.10.0-rc1, < 2025.10.4", "status": "affected"}, {"version": ">= 2025.10.0-rc1, < 2025.12.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:25:26.932Z"}, "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."}], "source": {"advisory": "GHSA-qvxx-mfm6-626f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:43:40.444205Z", "id": "CVE-2026-25227", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:43:53.801Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25227", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T15:43:40.444205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:43:46.892Z"}}], "cna": {"title": "authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint", "source": {"advisory": "GHSA-qvxx-mfm6-626f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"status": "affected", "version": ">= 2021.3.1, < 2025.8.6"}, {"status": "affected", "version": ">= 2025.10.0-rc1, < 2025.10.4"}, {"status": "affected", "version": ">= 2025.10.0-rc1, < 2025.12.4"}]}], "references": [{"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f", "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80", "name": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6", "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:25:26.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25227", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:43:53.801Z", "dateReserved": "2026-01-30T14:44:47.327Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T19:25:26.932Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B75021A-6847-4AB0-8D73-BE045EC341B0", "versionEndExcluding": "2025.8.6", "versionStartIncluding": "2021.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B646FA7-6B60-4018-9EA8-0C3C4F18BC21", "versionEndExcluding": "2025.10.4", "versionStartIncluding": "2025.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "A59D4BC9-5FAE-4A4F-A109-D754BD80A10C", "versionEndExcluding": "2025.12.4", "versionStartIncluding": "2025.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue."}], "id": "CVE-2026-25227", "lastModified": "2026-02-19T15:25:12.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-12T20:16:10.313", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2021.3.1,2025.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0-rc1,2025.10.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0-rc1,2025.12.4)"}}], "product": "authentik", "vendor": "goauthentik"}], "analysis": {"en": {"generated_at": "2026-04-18T12:33:44.462803+00:00", "value": {"mitigation_remediation": ["Upgrade goauthentik:authentik to version 2025.8.6 or later, which includes the patch for the context key injection.", "If an upgrade is not immediately possible, revoke the \"Can view * Property Mapping\" or \"Can view Expression Policy\" permissions from all users or limit delegation to trusted accounts.", "Conduct a review and audit of delegated permissions to ensure only necessary users retain these view rights, thereby reducing the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is goauthentik:authentik. Versions from 2021.3.1 up through those just before 2025.8.6, 2025.10.4, and 2025.12.4 contain the vulnerability. The releases 2025.8.6, 2025.10.4, and 2025.12.4 include the fix and are not affected.", "description_and_impact": "The flaw is a context key injection in the PropertyMapping test endpoint of authentik. A user with delegated permissions to view property mapping or expression policy can supply arbitrary Python code through the context key, which the server evaluates during the preview. This results in remote code execution inside the authentik container, providing the attacker full control over the service process.", "risk_and_exploitability": "The CVSS score of 9.1 marks this as a very high impact flaw, but the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker requires authenticated access with the specific view permissions, so the attack vector is likely internal or authenticated remote; the flaw does not allow unauthenticated network exploitation. Once the test endpoint is invoked by a privileged user, the injected code runs with the privileges of the authentik process."}}}}, "created": "2026-02-13T21:29:32.037149+00:00", "updated": "2026-04-18T12:45:45.664186+00:00", "vendors": ["goauthentik", "goauthentik$PRODUCT$authentik"]}