Lucene search
K
GoauthentikAuthentik

33 matches found

CVE
CVE
added 2023/08/29 5:23 p.m.2507 views

CVE-2023-39522

goauthentik (open‑source Identity Provider) contains a vulnerability in affected versions using a recovery flow with an identification stage that allows an attacker to determine whether a username exists, enabling username/email enumeration. The issue affects setups with the recovery flow and can...

5.3CVSS5AI score0.00514EPSS
CVE
CVE
added 2024/01/30 4:10 p.m.208 views

CVE-2024-23647

Authentik (PKCE downgrade) vulnerability (CVE-2024-23647) exists due to a flaw in PKCE implementation: if the authorization request omits code_challenge, PKCE checks are skipped, enabling bypass of PKCE protections. Affected versions are before 2023.8.7 and 2023.10.7. Versions 2023.8.7 and 2023.1...

8.8CVSS8.8AI score0.00544EPSS
CVE
CVE
added 2025/03/28 2:42 p.m.117 views

CVE-2025-29928

CVE-2025-29928 concerns authentik, an open-source identity provider. When configured to use database-based session storage (not default), deleting sessions via the Web Interface or API would not revoke those sessions, allowing session holders continued access. This affects authentik versions prio...

8CVSS7AI score0.00364EPSS
CVE
CVE
added 2024/06/28 5:58 p.m.110 views

CVE-2024-38371

CVE-2024-38371 affects the open‑source identity provider authentik. The issue: access restrictions assigned to an application were not checked during the OAuth2 Device Code flow, potentially allowing unauthorized users to obtain OAuth tokens and access the application. The root cause is improper ...

9.8CVSS8.7AI score0.00585EPSS
CVE
CVE
added 2022/12/28 12:12 a.m.107 views

CVE-2022-23555

The CVE-2022-23555 issue affects authentik, an open-source Identity Provider. A vulnerability in token handling within Invitations allows token reuse across enrollment flows, bypassing access controls when multiple enrollment flows with invitations are used. Versions prior to 2022.11.4 and 2022.1...

9.4CVSS8.9AI score0.00884EPSS
CVE
CVE
added 2024/06/28 5:9 p.m.105 views

CVE-2024-37905

The CVE-2024-37905 entry concerns the github.com/goauthentik/authentik project. Affected: authentic API-Access-Token mechanism that can be exploited to gain admin privileges, enabling full admin access and actions like resetting passwords. Root cause: improper access control/authorization related...

8.8CVSS8.9AI score0.00757EPSS
CVE
CVE
added 2024/08/22 3:34 p.m.105 views

CVE-2024-42490

authentik (open-source Identity Provider) exposes certain API endpoints without proper authentication/authorization. Affected endpoints include /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /api/v3/.../used_by/, where access depe...

7.5CVSS7.6AI score0.00563EPSS
Web
CVE
CVE
added 2022/12/02 5:12 p.m.99 views

CVE-2022-46145

CVE-2022-46145 affects authentik (open-source identity provider) versions prior to 2022.11.2 and 2022.10.2. The root issue is that default flows allow unauthenticated account creation, which can enable account takeover, especially if an email-verified password-recovery flow exists to overwrite an...

9.8CVSS9AI score0.01177EPSS
CVE
CVE
added 2024/11/21 5:23 p.m.99 views

CVE-2024-52287

authentik (open-source identity provider) has a vulnerability in the handling of client_credentials and device_code OAuth grants: an attacker could obtain a token with scopes that haven’t been configured. Root cause described as insufficient validation of OAuth scopes. Affected versions include 2...

7.2CVSS6.5AI score0.00561EPSS
CVE
CVE
added 2024/09/27 3:18 p.m.86 views

CVE-2024-47070

CVE-2024-47070 affects authentik (open-source identity provider) versions prior to 2024.8.3 and 2024.6.5. An authentication bypass exists when an attacker-supplied X-Forwarded-For header contains an unparsable value (e.g., a), which can bypass the password stage due to a policy binding flaw and a...

9CVSS9.2AI score0.00568EPSS
CVE
CVE
added 2024/11/21 5:18 p.m.77 views

CVE-2024-52289

This CVE concerns authentik, an open-source identity provider. In the OAuth2 provider, Redirect URIs are validated by a RegEx comparison. If no Redirect URIs are configured for a provider, authentik can automatically treat the first received redirect_uri as allowed, without escaping RegEx-special...

9.8CVSS6.5AI score0.0106EPSS
CVE
CVE
added 2026/06/02 8:31 p.m.75 views

CVE-2026-49448

CVE-2026-49448 affects authentik (open-source identity provider). The issue allows bypass of the Source stage by sending an empty POST, as described in both the CVE entry and CVE list. Affected versions are prior to 2025.12.6, 2026.2.4, and 2026.5.1. The vulnerability is assessed with a high impa...

9.8CVSS5.7AI score0.0036EPSS
CVE
CVE
added 2024/11/21 5:14 p.m.65 views

CVE-2024-52307

CVE-2024-52307 affects the open-source identity provider authentik. A non-constant time comparison on the per-tenant/endpoint path "/-/metrics/" enables brute-forcing the SECRET_KEY used to authenticate that endpoint. The metrics endpoint serves Prometheus data and is not intended for public acce...

6.3CVSS6.6AI score0.00531EPSS
CVE
CVE
added 2024/09/27 3:26 p.m.64 views

CVE-2024-47077

CVE-2024-47077 affects authentik (open-source identity provider). The issue: access tokens issued to one application can be stolen by that application and used to impersonate users against other proxy providers, and tokens legitimately issued for one app can be used to access another app the user...

6.5CVSS6.3AI score0.00417EPSS
CVE
CVE
added 2023/03/04 12:30 a.m.63 views

CVE-2023-26481

CVE-2023-26481 affects authentik (open-source Identity Provider). Root cause: insufficient access check in the recovery flow allows an admin-created or emailed recovery link to set passwords for arbitrary users when a recovery flow exists with both Identification and Email stages. If the flow inc...

9.1CVSS7.2AI score0.00275EPSS
CVE
CVE
added 2022/12/28 6:16 a.m.62 views

CVE-2022-46172

Summary: CVE-2022-46172 affects authentik (open-source identity provider). In versions prior to 2022.10.4 and 2022.11.4, any authenticated user could create an arbitrary number of basic accounts through the default-user-settings-flow (/api/v3/flows/instances/default-user-settings-flow/execute/), ...

6.4CVSS6.5AI score0.00539EPSS
CVE
CVE
added 2023/10/31 3:20 p.m.60 views

CVE-2023-46249

CVE-2023-46249 affects authentik (open-source Identity Provider). Before 2023.8.4 and 2023.10.2, if the default admin user is deleted, an attacker may set the default admin password without authentication via the initial-setup flow and a blueprint that can read an environment variable. The issue ...

9.8CVSS9.5AI score0.00654EPSS
CVE
CVE
added 2025/02/04 1:34 p.m.57 views

CVE-2024-11623

CVE-2024-11623 : Authentik is vulnerable to a Stored XSS via uploading crafted SVG files used as application icons. The issue requires an authenticated admin user and was fixed in 2024.10.4. Affected versions are prior to 2024.10.4; upgrade to 2024.10.4 or later to remediate. Workarounds include ...

4.8CVSS5.7AI score0.00286EPSS
CVE
CVE
added 2024/01/11 5:49 a.m.55 views

CVE-2024-21637

Authentik (open-source Identity Provider) is affected by a reflected XSS in OpenID Connect flows using JavaScript-URIs with response_mode=form_post. The issue targets the authentication redirect path (Redirect URI) and could be used to escalate privileges as described in CVE-2024-21637. The vulne...

7.6CVSS5.3AI score0.00547EPSS
CVE
CVE
added 2026/06/02 8:31 p.m.51 views

CVE-2026-49443

This CVE affects authentik, an open-source identity provider. Affected: UserSourceConnection.user and GroupSourceConnection.group are changeable via the API, allowing an attacker who can modify a source connection and possesses an account in one configured source to log into any account. Root cau...

8.8CVSS5.7AI score0.00298EPSS
CVE
CVE
added 2023/07/06 6:24 p.m.48 views

CVE-2023-36456

authentik is affected prior to versions 2023.4.3 and 2023.5.5 because it does not verify the origin of the X-Forwarded-For and X-Real-IP headers in both Python and Go code. This can allow spoofing of IPs in logs and in downstream flows that rely on IP checks, and may enable bypassing IP-based pol...

8.3CVSS7.7AI score0.00696EPSS
CVE
CVE
added 2023/11/21 8:48 p.m.40 views

CVE-2023-48228

CVE-2023-48228 affects the authentik open-source IDP. The vulnerability is in the PKCE code_verifier validation during OAuth2 token exchange: prior to versions 2023.10.4 and 2023.8.5, authentik accepted a token request without verifying the code_verifier even when a code_challenge was used. The i...

9.8CVSS8.5AI score0.01237EPSS
CVE
CVE
added 2025/07/23 8:35 p.m.39 views

CVE-2025-53942

Summary of CVE-2025-53942 (authentik): Affected: authentik identity provider. Issue: deactivated users who registered via OAuth/SAML (or linked accounts) could remain partially active, enabling authorization of applications despite deactivation. Root cause: insufficient check for account active s...

7.4CVSS6.1AI score0.00489EPSS
CVE
CVE
added 2026/06/02 8:30 p.m.36 views

CVE-2026-42849

The CVE-2026-42849 entryffects authentik, an open-source identity provider. Affected component: SFE (Simple Flow Executor) autosubmit stage, where legacy-browser compatibility logic enabled a reflected XSS. Root cause: XSS in AutosubmitStage enables an attacker to potentially take over an IDP acc...

9.3CVSS5.7AI score0.00318EPSS
CVE
CVE
added 2025/06/27 3:3 p.m.33 views

CVE-2025-52553

CVE-2025-52553 affects authentik (open-source identity provider). The vulnerability arises from a session-specific, single-use token generated after authorizing access to a RAC endpoint that is embedded in the URL; the check ensuring the token is valid only for the originating user’s session is m...

9.6CVSS6.4AI score0.00405EPSS
CVE
CVE
added 2026/02/12 7:38 p.m.31 views

CVE-2026-25922

The vulnerability CVE-2026-25922 affects authentik (open-source identity provider) prior to versions 2025.8.6, 2025.10.4, and 2025.12.4. When a SAML Source has Verify Assertion Signature enabled and not Verify Response Signature, or when Encryption Certificate is not configured under Advanced Pro...

8.8CVSS5.4AI score0.00166EPSS
CVE
CVE
added 2026/06/02 8:30 p.m.28 views

CVE-2026-47201

The CVE-2026-47201 entry affects authentik’s SAML Source ACS endpoint, where XML Signature Wrapping can allow an attacker with any upstream-IdP account to authenticate as a different federated user. The issue arises during validation of upstream SAML responses and has been patched in authentik ve...

8.5CVSS5.8AI score0.00162EPSS
CVE
CVE
added 2026/02/12 7:25 p.m.26 views

CVE-2026-25227

CVE-2026-25227 affects the open‑source identity provider authentik. From 2021.3.1 up to before 2025.8.6, 2025.10.4, and 2025.12.4, a user with delegated permissions can execute arbitrary code inside the authentik server container via the test endpoint that previews property mappings/policies. The...

9.1CVSS6AI score0.006EPSS
CVE
CVE
added 2026/06/02 8:30 p.m.26 views

CVE-2026-41569

CVE-2026-41569 concerns authentik, an open-source identity provider. Before 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter with a raw string prefix check instead of proper URL parsing, enabling an attacker to craft a login link with a wreply on a different origi...

6.9CVSS5.8AI score0.00182EPSS
CVE
CVE
added 2026/02/12 7:36 p.m.25 views

CVE-2026-25748

The vulnerability CVE-2026-25748 affects authentik prior to 2025.10.4 and 2025.12.4 in the Proxy Provider when used with Traefik or Caddy as reverse proxy. A malformed cookie could bypass authentication during forward authentication, causing missing authentik headers (X-Authentik-*) and potential...

8.6CVSS5.3AI score0.00479EPSS
CVE
CVE
added 2025/11/19 5:3 p.m.20 views

CVE-2025-64708

The vulnerability CVE-2025-64708 affects authentik (open-source Identity Provider). Prior to versions 2025.8.5 and 2025.10.2, invitations remained valid despite expiration, relying on background cleanup every 5 minutes. In normal operation this cleanup can take up to 5 minutes, but with a large b...

5.8CVSS6.3AI score0.00221EPSS
CVE
CVE
added 2026/06/02 5:12 p.m.18 views

CVE-2026-41577

CVE-2026-41577 affects the open‑source identity provider authentik. The SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions prior to versions 2025.12.5 and 2026.2.3. Specifically, NotBefore, NotOnOrAfter, and AudienceRestriction are ig...

7.5CVSS5.7AI score0.00169EPSS
CVE
CVE
added 2025/11/19 5:3 p.m.16 views

CVE-2025-64521

CVE-2025-64521 affects authentik, an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, authenticating to an OAuth provider with client_id/client_secret could create a service account for the provider, and that account could be used even if deactivated. The issue was fixed i...

4.8CVSS6.5AI score0.00197EPSS