authentik Authentication Bypass: SAML NameID XML Comment Injection (CVE-2026-40165)

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-91cwe-287cwe-436
authentik Authentication Bypass: SAML NameID XML Comment Injection (CVE-2026-40165)

The National Vulnerability Database has disclosed CVE-2026-40165, a critical authentication bypass vulnerability impacting authentik, an open-source identity provider. This flaw, present in versions 2025.12.4 and prior, and 2026.2.0-rc1 through 2026.2.2, stems from how authentik processes SAML NameID values. An attacker can inject an XML comment within the NameID, effectively truncating the value and tricking authentik into accepting a partial NameID. This can grant unauthorized access to other user accounts.

Exploitation requires specific conditions: a SAML Source configured in authentik, an attacker with an account on that SAML Source, the ability to modify their NameID (typically username or email), and XML Signing enabled. The attacker manipulates the SAML assertion, inserting a comment that cuts off the NameID, allowing them to impersonate any user. The National Vulnerability Database assigns this a CVSS score of 8.7 (HIGH), underscoring the severity of this bypass.

This is a significant issue for organizations relying on authentik for identity management. The vulnerability fundamentally undermines the trust established by SAML assertions. Defenders must understand that this isn’t a theoretical attack; it’s a direct manipulation of a core authentication mechanism. The fix is available in versions 2025.12.5 and 2026.2.3. Patching is not optional here; it’s an immediate security imperative.

What This Means For You

  • If your organization uses authentik with SAML Sources, you need to verify your version immediately. This isn't just a bug; it's a direct path to account takeover. Prioritize patching to versions 2025.12.5 or 2026.2.3. Audit your SAML Source configurations for any unusual NameID modifications or failed authentication attempts, especially if XML Signing is enabled.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1552.004 Credentials In Files Credential Access T1078.004 Cloud Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-40165: SAML NameID XML Comment Injection in authentik

Sigma YAML — free preview 
title: CVE-2026-40165: SAML NameID XML Comment Injection in authentik
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-40165 by identifying SAML metadata requests that contain XML comments within the URI query string. Attackers inject comments into the NameID value to truncate it, bypassing authentication. This specific pattern targets the SAML metadata endpoint and the presence of comment syntax within the query parameters, which is indicative of this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40165/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: authentication
detection:
  selection:
      cs-uri|contains:
          - '/application/saml/metadata/'
      cs-uri-query|contains:
          - '<!--'
      cs-uri-query|contains:
          - '-->' 
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40165 Auth Bypass authentik versions 2025.12.4 and prior
CVE-2026-40165 Auth Bypass authentik versions 2026.2.0-rc1 through 2026.2.2
CVE-2026-40165 Auth Bypass SAML NameID XML Comment Injection
CVE-2026-40165 Auth Bypass Vulnerable component: SAML Source with XML Signing enabled

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4811 — Cross-Site Scripting (XSS)

CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-9149 — Libsolv Buffer Overflow

CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-122
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma