Lucene search
K

15 matches found

OSV
OSV
added 2026/04/16 11:36 p.m.6 views

BIT-AUTHENTIK-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping

authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under...

8.8CVSS5.7AI score0.00166EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.18 views

EUVD-2024-45992

Malicious code in bioql PyPI...

6.3CVSS6.4AI score0.00531EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-30289

Malicious code in bioql PyPI...

9.1CVSS6.6AI score0.00275EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-45991

Malicious code in bioql PyPI...

9.8CVSS6.6AI score0.0106EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-22471

Malicious code in bioql PyPI...

7.4CVSS6.3AI score0.00489EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-48997

Malicious code in bioql PyPI...

6.4CVSS6.6AI score0.00539EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-42264

Malicious code in bioql PyPI...

6.5CVSS6.6AI score0.00417EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/05/23 10:36 a.m.12 views

CVE-2024-47070

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known logi...

9CVSS6.9AI score0.00568EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/03/30 3:30 p.m.62 views

CVE-2025-29928

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage which is a non-default setting, deleting sessions via the Web Interface or the API would not revoke the session and the session holder wou...

8CVSS7.1AI score0.00364EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/05 8:53 a.m.11 views

CVE-2024-38371

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...

8.6CVSS7.1AI score0.00585EPSS
Exploits0
Cvelist
Cvelist
added 2024/11/21 5:18 p.m.21 views

CVE-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirecturi value received as an allowed redirect URI, without escaping...

7.9CVSS0.0106EPSS
Exploits0References2
CVE
CVE
added 2024/08/22 3:34 p.m.104 views

CVE-2024-42490

authentik (open-source Identity Provider) exposes certain API endpoints without proper authentication/authorization. Affected endpoints include /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /api/v3/.../used_by/, where access depe...

7.5CVSS7.6AI score0.00563EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2024/06/28 5:58 p.m.28 views

CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...

8.6CVSS7.3AI score0.00585EPSS
Exploits0References4
Prion
Prion
added 2024/01/30 5:15 p.m.16 views

Design/Logic Flaw

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the codechallenge parameter to the authorization request and adds the codeverifier parameter to the token request. Prior to...

6.8CVSS7.5AI score0.00544EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/03/04 12:30 a.m.9 views

CVE-2023-26481 Insufficient user check in FlowTokens by Email stage

authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin or sent via email by an admin can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an...

9.1CVSS9.3AI score0.00275EPSS
Exploits0References2
Rows per page
Query Builder