Lucene search
K

380 matches found

Chainguard
Chainguard
added 2026/05/13 7:17 p.m.10 views

GHSA-W26R-RMM8-9C29 vulnerabilities

Vulnerabilities for packages: authentik, authentik-fips, py3-django...

5.9AI score
Exploits0
Chainguard
Chainguard
added 2026/05/13 7:17 p.m.17 views

CVE-2026-6907 vulnerabilities

Vulnerabilities for packages: authentik, authentik-fips, py3-django...

5.3CVSS7AI score0.00358EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/12 10:23 p.m.30 views

SillyTavern has Authentication Bypass via SSO Header Injection

Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/12 10:23 p.m.4 views

GHSA-GXX6-H3G6-VWJH SillyTavern has Authentication Bypass via SSO Header Injection

Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.14 views

PT-2026-40545

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0 Description An authentication bypass and account takeover issue exists when Authelia or Authentik SSO is enabled. The software accepts Remote-User for Authelia and X-Authentik-Username for Authentik HTTP...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References11
Chainguard
Chainguard
added 2026/05/06 7:17 p.m.13 views

CVE-2026-41889 vulnerabilities

Vulnerabilities for packages: commercial-chainloop-backend, splunk-otel-collector, gitlab-kas, bento-fips, step-issuer, pgwatch, bento, ory-kratos, openbao, chainloop-control-plane, jitsucom-bulker, openbao-fips, dapr-fips, pgtimetable-fips, sftpgo-plugin-eventstore, spicedb, step-ca-fips,...

9.8CVSS5.9AI score0.00356EPSS
Exploits0
Chainguard
Chainguard
added 2026/04/22 7:17 p.m.10 views

CVE-2026-41066 vulnerabilities

Vulnerabilities for packages: authentik-fips, open-webui, datahub-ingestion, synapse, authentik, kubeflow-pipelines-visualization-server, nemo, datadog-agent-fips, label-studio, airflow, datahub-ingestion-fips, datadog-agent...

7.5CVSS5.9AI score0.00324EPSS
Exploits1
Chainguard
Chainguard
added 2026/04/22 7:17 p.m.6 views

CVE-2026-28684 vulnerabilities

Vulnerabilities for packages: authentik-fips, ggshield, superset, keep-fips, litellm, authentik, localstack, keep, kserve...

6.6CVSS7.2AI score0.00236EPSS
Exploits1
Chainguard
Chainguard
added 2026/04/22 7:17 p.m.4 views

GHSA-MF9W-MJ56-HR94 vulnerabilities

Vulnerabilities for packages: authentik-fips, ggshield, superset, keep-fips, litellm, authentik, localstack, keep, kserve...

5.9AI score
Exploits0
Chainguard
Chainguard
added 2026/04/22 7:17 p.m.9 views

GHSA-VFMQ-68HX-4JFW vulnerabilities

Vulnerabilities for packages: authentik-fips, open-webui, datahub-ingestion, synapse, authentik, kubeflow-pipelines-visualization-server, nemo, datadog-agent-fips, label-studio, airflow, datahub-ingestion-fips, datadog-agent...

5.9AI score
Exploits0
OSV
OSV
added 2026/04/16 11:36 p.m.3 views

BIT-AUTHENTIK-2026-25748 authentik has a forward authentication bypass with broken cookie

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious...

8.6CVSS5.5AI score0.00479EPSS
Exploits0References4
OSV
OSV
added 2026/04/16 11:36 p.m.4 views

BIT-AUTHENTIK-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server contain...

9.1CVSS6.1AI score0.006EPSS
Exploits0References6
OSV
OSV
added 2026/04/16 11:36 p.m.6 views

BIT-AUTHENTIK-2025-64708 authentik invitation expiry is delayed by at least 5 minutes

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5...

5.8CVSS7.2AI score0.00216EPSS
Exploits0References3
OSV
OSV
added 2026/04/16 11:36 p.m.6 views

BIT-AUTHENTIK-2025-64521 authentik deactivated service accounts can authenticate to OAuth

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even...

4.8CVSS7.2AI score0.00193EPSS
Exploits0References3
OSV
OSV
added 2026/04/16 11:36 p.m.3 views

BIT-AUTHENTIK-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage which is a non-default setting, deleting sessions via the Web Interface or the API would not revoke the session and the session holder wou...

8CVSS5.7AI score0.00364EPSS
Exploits0References3
OSV
OSV
added 2026/04/16 11:36 p.m.4 views

BIT-AUTHENTIK-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirecturi value received as an allowed redirect URI, without escaping...

9.8CVSS5.7AI score0.0106EPSS
Exploits0References5
OSV
OSV
added 2026/04/16 11:36 p.m.5 views

BIT-AUTHENTIK-2024-52287 authentik performs insufficient validation of OAuth scopes

authentik is an open-source identity provider. When using the clientcredentials or devicecode OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue...

7.2CVSS5.7AI score0.00561EPSS
Exploits0References3
OSV
OSV
added 2026/04/16 11:36 p.m.4 views

BIT-AUTHENTIK-2024-47077 authentik cross-provider token validation problems

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued...

6.5CVSS5.7AI score0.00417EPSS
Exploits0References6
OSV
OSV
added 2026/04/16 11:36 p.m.5 views

BIT-AUTHENTIK-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known logi...

9CVSS5.7AI score0.00568EPSS
Exploits0References4
OSV
OSV
added 2026/04/16 11:36 p.m.8 views

BIT-AUTHENTIK-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...

9.8CVSS5.7AI score0.00585EPSS
Exploits0References5
Rows per page
Query Builder