CVE-2026-41569

WS-Federation wreply Origin Bypass (CVE-2026-41569)

Summary

The WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure.

Patches

authentik 2025.12.5 and 2026.2.3 fix this issue.

Impact

The WS-Federation sign-in processor accepted any wreply whose string value started with the configured Reply URL, not correctly comparing the domain.

Once accepted, the attacker-controlled wreply is used as the autosubmit destination, and the victim's browser immediately POSTs the signed WS-Federation response (wresult) to that URL. The response is a valid signed authentication artifact; in many relying-party configurations it is replayable to the legitimate ACS endpoint, enabling victim impersonation in the target application.

The fix replaces the string prefix check with proper URL parsing, comparing scheme, host, and path independently:

Only WS-Federation providers (an enterprise feature) with a prefix-ambiguous Reply URL are affected. If the Reply URL is already path-specific (e.g. https://portal.example.com/wsfed/acs), the host-extension bypass does not apply.

Workarounds

Configure the WS-Federation provider's Reply URL with a specific path (e.g. https://portal.example.com/wsfed/acs) rather than a bare hostname. This prevents the host-extension bypass without patching, though upgrading is strongly preferred.

For more information

If you have any questions or comments about this advisory:

Email us at security@goauthentik.io

WS-Federation wreply Origin Bypass (CVE-2026-41569)​

Summary​

Patches​

Impact​

Workarounds​

For more information​