authentik: Reflected XSS in the Simple Flow Executor

Reflected XSS in authentik's Simple Flow Executor: a crafted OAuth link hijacks a logged-in SSO session.

Advisory ID: TP-2026-001
Product: authentik (identity provider / single sign-on)
Vulnerability type: Reflected cross-site scripting (CWE-79)
CVE: CVE-2026-42849
CVSS 3.1: 9.3 (Critical) · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Affected versions: 2026.2.2 and earlier, 2025.12.4 and earlier
Patched in: 2026.2.3, 2025.12.5
Vendor advisory: GHSA-pgff-5mx8-fqj3
Reported: 24 April 2026

Summary

The Simple Flow Executor (SFE) is a lightweight rendering variant of authentik's login flows for browsers without a modern JavaScript bundle. The SFE's AutosubmitStage assembles an HTML form via template literals and writes it into the DOM without sanitization. Through the OAuth2 parameters state and redirect_uri, arbitrary HTML and JavaScript can be injected into the SSO origin. The injected code runs in the trust context of the authentik domain (with access to session cookies, tokens, and backend APIs) and thereby takes over the victim's session.

Root cause

The SFE writes form and challenge fields into innerHTML via template literals, in the AutosubmitStage as value="${value}" with no HTML encoding (web/packages/sfe/src/index.ts:154-174,189,225). The ?sfe query parameter forces the Simple Flow Executor, and to_redirect() copies every request.GET parameter including sfe onto the redirect, keeping the SFE active across the whole OAuth2 flow. With response_mode=form_post, OAuthFulfillmentStage places the raw, attacker-controlled state value into the auto-submit post_params. The modern flow-executor web component escapes its inputs, but the legacy SFE path does not. Any configured OAuth2 application is enough, and no authentication is required.

Proof of Concept

A crafted OAuth2 authorize URL with the &sfe switch (forcing the Simple Flow Executor) and a breaking-out state value is sent to a logged-in victim:

GET /application/o/authorize/?client_id=<id>&redirect_uri=<uri>&response_type=code&response_mode=form_post&sfe&state="><img src=https://attacker.example/xss>

The state payload "><img src=https://attacker.example/xss> breaks out of the hidden input's value="..." attribute and is parsed as HTML during the SFE's innerHTML call. The victim's browser loads the <img> from the attacker domain (with Origin: https://authentik.example.com), proving script execution in the SSO origin context. The second vector uses the redirect_uri (in the action attribute) analogously, provided the OAuth2 provider uses matching_mode: regex with a permissive pattern.

Impact

  • Script execution in authentik's SSO origin, with access to session cookies, tokens, and backend APIs.
  • Takeover of the victim's session; OAuth2 codes and tokens issued in the flow are captured.
  • Pre-authentication vector via a crafted authorize URL; any configured OAuth2 application is enough.

References

Is Something Like This in Your Software?

Our team found this vulnerability during a penetration test. Have your applications tested by the same specialists, with a penetration test from turingpoint.

Request a Pentest