4 matches found
CVE-2023-26481
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin or sent via email by an admin can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an...
CVE-2023-26481
CVE-2023-26481 affects authentik (open-source Identity Provider). Root cause: insufficient access check in the recovery flow allows an admin-created or emailed recovery link to set passwords for arbitrary users when a recovery flow exists with both Identification and Email stages. If the flow inc...
CVE-2023-26481 Insufficient user check in FlowTokens by Email stage
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin or sent via email by an admin can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an...
CVE-2023-26481 Insufficient user check in FlowTokens by Email stage
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin or sent via email by an admin can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an...