BIT-AUTHENTIK-2023-39522 Username enumeration attack in goauthentik

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

GO-2025-3822 Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources in goauthentik.io

Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

CVE-2023-39522

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

GO-2024-3085 GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io

GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

GHSA-QXQC-27PR-WGC8 GoAuthentik vulnerable to Insufficient Authorization for several API endpoints

Summary Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this: - /api/v3/crypto/certificatekeypairs//viewcertificate/ - /api/v3/crypto/certificatekeypairs//viewprivatekey/ - /api/v3/.../usedby/ Note that all of the...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

Username enumeration attack in goauthentik

Summary Using a recovery flow with an identification stage an attacker is able to determine if a username exists. Impact Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their...

@goauthentik/web (>=0.0.1 <=0.0.10) potentially affected by CVE-2023-39522 via @goauthentik/api (=2022.8.2-1663409478)

@goauthentik/api NPM version =2022.8.2-1663409478 is affected by a known vulnerability. The following packages have a transitive dependency on @goauthentik/api and may be impacted: - @goauthentik/web =0.0.1, =0.0.10 Source cves: CVE-2023-39522 Source advisory: OSV:GHSA-VMF9-6PCV-XR87...

CVE-2023-39522

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

CVE-2023-39522

goauthentik (open‑source Identity Provider) contains a vulnerability in affected versions using a recovery flow with an identification stage that allows an attacker to determine whether a username exists, enabling username/email enumeration. The issue affects setups with the recovery flow and can...

CVE-2023-39522 Username enumeration attack in goauthentik

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

CVE-2023-39522 Username enumeration attack in goauthentik

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

PT-2023-26994

Name of the Vulnerable Software and Affected Versions goauthentik versions prior to 2023.5.6 goauthentik versions prior to 2023.6.2 Description The issue affects goauthentik, an open-source Identity Provider, where an attacker can determine if a username exists using a recovery flow with an...