Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0251

NIXPKGS-2026-0251
published on 15 Feb 2026
Permalink CVE-2026-25227
updated 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 3 days ago
  • @LeSuisse removed
    3 packages
    • authentik-outposts.ldap
    • authentik-outposts.proxy
    • authentik-outposts.radius
    3 weeks ago
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to preview how a property mapping/policy works. authentik 2025.8.6, 2025.10.4, and 2025.12.4 fix this issue.

References

Affected products

authentik
  • ==>= 2025.10.0-rc1, < 2025.12.4
  • ==>= 2025.10.0-rc1, < 2025.10.4
  • ==>= 2021.3.1, < 2025.8.6

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-qvxx-mfm6-626f
Upstream patch: https://github.com/goauthentik/authentik/commit/c691afaef164cf73c10a26a944ef2f11dbb1ac80