Summary
When using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead.
Patches
authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue, for other versions the workaround below can be used.
Impact
Depending on configuration of the source it is possible to authenticate as any existing user.
Workarounds
Configure the SAML Source to enable Verify Response Signature or the Encryption Certificate if possible.
If this isn't possible, add this property mapping expression on the SAML source to detect duplicate assertions:
assertions = root.findall("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
if len(assertions) > 1:
raise ValueError("Multiple assertions found")
return {}For more information
If you have any questions or comments about this advisory:
odgrso Reporter
Summary
When using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible for an attacker to inject a malicious assertion before the signed assertion that authentik would use instead.
Patches
authentik 2025.8.6, 2025.10.4 and 2025.12.4 fix this issue, for other versions the workaround below can be used.
Impact
Depending on configuration of the source it is possible to authenticate as any existing user.
Workarounds
Configure the SAML Source to enable Verify Response Signature or the Encryption Certificate if possible.
If this isn't possible, add this property mapping expression on the SAML source to detect duplicate assertions:
For more information
If you have any questions or comments about this advisory: