CVE-2026-42849

Reported by Jan Kahmen, turingpoint GmbH

Reflected XSS in SFE

Summary

Due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage.

Patches

authentik 2025.12.5 and 2026.2.3 fix this issue.

Impact

The SFE (Simple Flow Executor) was susceptible to an XSS exploit. This could allow an attacker to redirect web requests containing tokens, hijack the session or take other malicious actions.

This is possible when an OAuth2 provider is configured, either through the redirect_uri when a very broad regex is used, or through the state value.

The SFE previously used jQuery without explicit sanitization, which, compared to the rest of our interfaces, did not sufficiently protect from malicious input values.

For more information

If you have any questions or comments about this advisory:

Email us at security@goauthentik.io.

Reflected XSS in SFE​

Summary​

Patches​

Impact​

For more information​

Reflected XSS in SFE

Summary

Patches

Impact

For more information