ByteOS Network

CVE Vulnerability Details :

CVE-2026-25227

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-12 Feb, 2026 | 19:25

Updated At-12 Feb, 2026 | 19:25

▼CVE Numbering Authority (CNA)

authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

Affected Products

Vendor

goauthentik

Product

authentik

Versions

Affected

>= 2021.3.1, < 2025.8.6
>= 2025.10.0-rc1, < 2025.10.4
>= 2025.10.0-rc1, < 2025.12.4

Problem Types

Type	CWE ID	Description
CWE	CWE-94	CWE-94: Improper Control of Generation of Code ('Code Injection')

Type: CWE

CWE ID: CWE-94

Description: CWE-94: Improper Control of Generation of Code ('Code Injection')

Metrics

Version	Base score	Base severity	Vector
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

Hyperlink	Resource
https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f	x_refsource_CONFIRM
https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80	x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4	x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4	x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.8.6	x_refsource_MISC