Cyber Posture

CVE-2026-40165

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 21 May 2026

Published
21 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score N/A
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40165 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-9 Previous Logon Notification
addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

AT-1 Policy and Procedures
addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

AT-2 Literacy Training and Awareness
addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

AT-3 Role-based Training
addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

AU-10 Non-repudiation
addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

AU-14 Session Audit
addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

CA-2 Control Assessments
addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

NVD Description

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was…

more

possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-91CWE-287CWE-436

EU & UK References

References