Lucene search
K

6 matches found

OSV
OSV
added 2026/06/01 11:37 a.m.8 views

BIT-AUTHENTIK-2026-40172 authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS5.9AI score0.00392EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/22 7:0 p.m.13 views

CVE-2026-40172 authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS0.00392EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/22 7:0 p.m.9 views

CVE-2026-40172 authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS5.9AI score0.00392EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 7:0 p.m.41 views

CVE-2026-40172

The CVE-2026-40172 entry concerns authentik (open-source ID provider). A flaw in PATCH /api/v3/core/users/{pk}/ lets a caller with change_user on a target user assign arbitrary groups via UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser. This resul...

8.1CVSS5.9AI score0.00392EPSS
Exploits0References3
OSV
OSV
added 2021/08/31 4:15 p.m.2 views

DEBIAN-CVE-2021-39163

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable...

3.1CVSS6.4AI score0.00892EPSS
Exploits0References1
Atlassian
Atlassian
added 2014/09/11 5:28 p.m.17 views

Add global option "Enable group <anyone>"

As mentioned in JRA-18076 and JRA-23255, the predefined group anyone poses security risks in many cases as it exposes projects to unauthenticated users. I tend to think that in 90% of Jira instances that group has no use and is just a security risk dangling over our heads. I would suggest an opti...

0.4AI score
Exploits0Affected Software1
Rows per page
Query Builder