What is CVE-2026-47201?

CVE-2026-47201 is a high-severity vulnerability in Goauthentik Authentik, classified under Improper Input Validation. CVSS score: 8.5/10. Published 2026-06-02.

How severe is CVE-2026-47201?

High severity. CVSS v3 base score is 8.5 out of 10.

Improper input validation in Goauthentik Authentik

CVE-2026-47201

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (19.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Goauthentik Authentik — versions < 2025.12.5, < 2026.2.3, < 2026.5.1

Weakness classification (CWE)

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-47201?: CVE-2026-47201 is a high-severity vulnerability in Goauthentik Authentik, classified under Improper Input Validation. CVSS score: 8.5/10. Published 2026-06-02.
How severe is CVE-2026-47201?: High severity. CVSS v3 base score is 8.5 out of 10.