33 matches found
CVE-2023-39522
goauthentik (open‑source Identity Provider) contains a vulnerability in affected versions using a recovery flow with an identification stage that allows an attacker to determine whether a username exists, enabling username/email enumeration. The issue affects setups with the recovery flow and can...
CVE-2024-23647
Authentik (PKCE downgrade) vulnerability (CVE-2024-23647) exists due to a flaw in PKCE implementation: if the authorization request omits code_challenge, PKCE checks are skipped, enabling bypass of PKCE protections. Affected versions are before 2023.8.7 and 2023.10.7. Versions 2023.8.7 and 2023.1...
CVE-2025-29928
CVE-2025-29928 concerns authentik, an open-source identity provider. When configured to use database-based session storage (not default), deleting sessions via the Web Interface or API would not revoke those sessions, allowing session holders continued access. This affects authentik versions prio...
CVE-2024-38371
CVE-2024-38371 affects the open‑source identity provider authentik. The issue: access restrictions assigned to an application were not checked during the OAuth2 Device Code flow, potentially allowing unauthorized users to obtain OAuth tokens and access the application. The root cause is improper ...
CVE-2022-23555
The CVE-2022-23555 issue affects authentik, an open-source Identity Provider. A vulnerability in token handling within Invitations allows token reuse across enrollment flows, bypassing access controls when multiple enrollment flows with invitations are used. Versions prior to 2022.11.4 and 2022.1...
CVE-2024-37905
The CVE-2024-37905 entry concerns the github.com/goauthentik/authentik project. Affected: authentic API-Access-Token mechanism that can be exploited to gain admin privileges, enabling full admin access and actions like resetting passwords. Root cause: improper access control/authorization related...
CVE-2024-42490
authentik (open-source Identity Provider) exposes certain API endpoints without proper authentication/authorization. Affected endpoints include /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /api/v3/.../used_by/, where access depe...
CVE-2022-46145
CVE-2022-46145 affects authentik (open-source identity provider) versions prior to 2022.11.2 and 2022.10.2. The root issue is that default flows allow unauthenticated account creation, which can enable account takeover, especially if an email-verified password-recovery flow exists to overwrite an...
CVE-2024-52287
authentik (open-source identity provider) has a vulnerability in the handling of client_credentials and device_code OAuth grants: an attacker could obtain a token with scopes that haven’t been configured. Root cause described as insufficient validation of OAuth scopes. Affected versions include 2...
CVE-2024-47070
CVE-2024-47070 affects authentik (open-source identity provider) versions prior to 2024.8.3 and 2024.6.5. An authentication bypass exists when an attacker-supplied X-Forwarded-For header contains an unparsable value (e.g., a), which can bypass the password stage due to a policy binding flaw and a...
CVE-2024-52289
This CVE concerns authentik, an open-source identity provider. In the OAuth2 provider, Redirect URIs are validated by a RegEx comparison. If no Redirect URIs are configured for a provider, authentik can automatically treat the first received redirect_uri as allowed, without escaping RegEx-special...
CVE-2026-49448
CVE-2026-49448 affects authentik (open-source identity provider). The issue allows bypass of the Source stage by sending an empty POST, as described in both the CVE entry and CVE list. Affected versions are prior to 2025.12.6, 2026.2.4, and 2026.5.1. The vulnerability is assessed with a high impa...
CVE-2024-52307
CVE-2024-52307 affects the open-source identity provider authentik. A non-constant time comparison on the per-tenant/endpoint path "/-/metrics/" enables brute-forcing the SECRET_KEY used to authenticate that endpoint. The metrics endpoint serves Prometheus data and is not intended for public acce...
CVE-2024-47077
CVE-2024-47077 affects authentik (open-source identity provider). The issue: access tokens issued to one application can be stolen by that application and used to impersonate users against other proxy providers, and tokens legitimately issued for one app can be used to access another app the user...
CVE-2023-26481
CVE-2023-26481 affects authentik (open-source Identity Provider). Root cause: insufficient access check in the recovery flow allows an admin-created or emailed recovery link to set passwords for arbitrary users when a recovery flow exists with both Identification and Email stages. If the flow inc...
CVE-2022-46172
Summary: CVE-2022-46172 affects authentik (open-source identity provider). In versions prior to 2022.10.4 and 2022.11.4, any authenticated user could create an arbitrary number of basic accounts through the default-user-settings-flow (/api/v3/flows/instances/default-user-settings-flow/execute/), ...
CVE-2023-46249
CVE-2023-46249 affects authentik (open-source Identity Provider). Before 2023.8.4 and 2023.10.2, if the default admin user is deleted, an attacker may set the default admin password without authentication via the initial-setup flow and a blueprint that can read an environment variable. The issue ...
CVE-2024-11623
CVE-2024-11623 : Authentik is vulnerable to a Stored XSS via uploading crafted SVG files used as application icons. The issue requires an authenticated admin user and was fixed in 2024.10.4. Affected versions are prior to 2024.10.4; upgrade to 2024.10.4 or later to remediate. Workarounds include ...
CVE-2024-21637
Authentik (open-source Identity Provider) is affected by a reflected XSS in OpenID Connect flows using JavaScript-URIs with response_mode=form_post. The issue targets the authentication redirect path (Redirect URI) and could be used to escalate privileges as described in CVE-2024-21637. The vulne...
CVE-2026-49443
This CVE affects authentik, an open-source identity provider. Affected: UserSourceConnection.user and GroupSourceConnection.group are changeable via the API, allowing an attacker who can modify a source connection and possesses an account in one configured source to log into any account. Root cau...
CVE-2023-36456
authentik is affected prior to versions 2023.4.3 and 2023.5.5 because it does not verify the origin of the X-Forwarded-For and X-Real-IP headers in both Python and Go code. This can allow spoofing of IPs in logs and in downstream flows that rely on IP checks, and may enable bypassing IP-based pol...
CVE-2023-48228
CVE-2023-48228 affects the authentik open-source IDP. The vulnerability is in the PKCE code_verifier validation during OAuth2 token exchange: prior to versions 2023.10.4 and 2023.8.5, authentik accepted a token request without verifying the code_verifier even when a code_challenge was used. The i...
CVE-2025-53942
Summary of CVE-2025-53942 (authentik): Affected: authentik identity provider. Issue: deactivated users who registered via OAuth/SAML (or linked accounts) could remain partially active, enabling authorization of applications despite deactivation. Root cause: insufficient check for account active s...
CVE-2026-42849
The CVE-2026-42849 entryffects authentik, an open-source identity provider. Affected component: SFE (Simple Flow Executor) autosubmit stage, where legacy-browser compatibility logic enabled a reflected XSS. Root cause: XSS in AutosubmitStage enables an attacker to potentially take over an IDP acc...
CVE-2025-52553
CVE-2025-52553 affects authentik (open-source identity provider). The vulnerability arises from a session-specific, single-use token generated after authorizing access to a RAC endpoint that is embedded in the URL; the check ensuring the token is valid only for the originating user’s session is m...
CVE-2026-25922
The vulnerability CVE-2026-25922 affects authentik (open-source identity provider) prior to versions 2025.8.6, 2025.10.4, and 2025.12.4. When a SAML Source has Verify Assertion Signature enabled and not Verify Response Signature, or when Encryption Certificate is not configured under Advanced Pro...
CVE-2026-47201
The CVE-2026-47201 entry affects authentik’s SAML Source ACS endpoint, where XML Signature Wrapping can allow an attacker with any upstream-IdP account to authenticate as a different federated user. The issue arises during validation of upstream SAML responses and has been patched in authentik ve...
CVE-2026-25227
CVE-2026-25227 affects the open‑source identity provider authentik. From 2021.3.1 up to before 2025.8.6, 2025.10.4, and 2025.12.4, a user with delegated permissions can execute arbitrary code inside the authentik server container via the test endpoint that previews property mappings/policies. The...
CVE-2026-41569
CVE-2026-41569 concerns authentik, an open-source identity provider. Before 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter with a raw string prefix check instead of proper URL parsing, enabling an attacker to craft a login link with a wreply on a different origi...
CVE-2026-25748
The vulnerability CVE-2026-25748 affects authentik prior to 2025.10.4 and 2025.12.4 in the Proxy Provider when used with Traefik or Caddy as reverse proxy. A malformed cookie could bypass authentication during forward authentication, causing missing authentik headers (X-Authentik-*) and potential...
CVE-2025-64708
The vulnerability CVE-2025-64708 affects authentik (open-source Identity Provider). Prior to versions 2025.8.5 and 2025.10.2, invitations remained valid despite expiration, relying on background cleanup every 5 minutes. In normal operation this cleanup can take up to 5 minutes, but with a large b...
CVE-2026-41577
CVE-2026-41577 affects the open‑source identity provider authentik. The SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions prior to versions 2025.12.5 and 2026.2.3. Specifically, NotBefore, NotOnOrAfter, and AudienceRestriction are ig...
CVE-2025-64521
CVE-2025-64521 affects authentik, an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, authenticating to an OAuth provider with client_id/client_secret could create a service account for the provider, and that account could be used even if deactivated. The issue was fixed i...