Vulnerabilites related to goauthentik - authentik
Vulnerability from fkie_nvd
Published
2024-06-28 18:15
Modified
2025-08-21 16:01
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED1F1937-A547-440E-8D37-5830973FDB91",
"versionEndExcluding": "2024.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB436255-F93A-4090-96AE-3AF72C6F68E2",
"versionEndExcluding": "2024.4.3",
"versionStartIncluding": "2024.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidades de c\u00f3digo abierto. Las restricciones de acceso asignadas a una aplicaci\u00f3n no se verificaron cuando se utiliz\u00f3 el flujo de c\u00f3digo del dispositivo OAuth2. Potencialmente, esto podr\u00eda permitir a los usuarios sin la autorizaci\u00f3n correcta obtener tokens OAuth para una aplicaci\u00f3n y acceder a ella. Este problema se solucion\u00f3 en las versiones 2024.6.0, 2024.2.4 y 2024.4.3."
}
],
"id": "CVE-2024-38371",
"lastModified": "2025-08-21T16:01:24.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-28T18:15:04.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-21 21:15
Modified
2024-11-21 08:31
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EDAD4E86-B0E7-4863-B8B4-D3B85DF1F9B3",
"versionEndExcluding": "2023.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94DFCEE9-DE60-4890-8F11-D2EFDB0565D5",
"versionEndExcluding": "2023.10.4",
"versionStartIncluding": "2023.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Al inicializar un flujo oauth2 con un `code_challenge` y un `code_method` (solicitando as\u00ed PKCE), el proveedor de inicio de sesi\u00f3n \u00fanico (authentik) debe verificar si hay un `code_verifier` coincidente y existente durante el paso del token. Antes de las versiones 2023.10.4 y 2023.8.5, authentik verifica si el contenido de `code_verifier` coincide solo cuando se proporciona. Cuando se omite por completo, authentik simplemente acepta la solicitud del token sin \u00e9l; incluso cuando el flujo se inici\u00f3 con un \"code_challenge\". authentik 2023.8.5 y 2023.10.4 solucionan este problema."
}
],
"id": "CVE-2023-48228",
"lastModified": "2024-11-21T08:31:15.303",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-21T21:15:08.477",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7666"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7668"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7669"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/7669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-29 18:15
Modified
2024-11-21 08:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both. This issue has been addressed in versions 2023.5.6 and 2023.6.2. Users are advised to upgrade. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB48859-A83A-490D-9873-ED75FAF1370F",
"versionEndExcluding": "2023.5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8722885E-DC68-415F-B954-CF0BA0EF0561",
"versionEndExcluding": "2023.6.2",
"versionStartIncluding": "2023.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users\u0027 existence using the recovery flow, as a clear message is shown when a user doesn\u0027t exist. Depending on configuration this can either be done by username, email, or both. This issue has been addressed in versions 2023.5.6 and 2023.6.2. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"id": "CVE-2023-39522",
"lastModified": "2024-11-21T08:15:35.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-29T18:15:08.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-11 06:15
Modified
2024-11-21 08:54
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E5FE79-9C41-42C8-89BA-F977B5571297",
"versionEndExcluding": "2023.8.6",
"versionStartIncluding": "2023.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7322058A-9785-441A-949B-79DB9354CB73",
"versionEndExcluding": "2023.10.6",
"versionStartIncluding": "2023.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6."
},
{
"lang": "es",
"value": "Authentik es un proveedor de identidades de c\u00f3digo abierto. Authentik es afectado por una vulnerabilidad de cross site scripting reflejada a trav\u00e9s de URI de JavaScript en flujos de OpenID Connect con `response_mode=form_post`. Este relativamente usuario podr\u00eda utilizar los ataques descritos para realizar una escalada de privilegios. Esta vulnerabilidad ha sido parcheada en las versiones 2023.10.6 y 2023.8.6."
}
],
"id": "CVE-2024-21637",
"lastModified": "2024-11-21T08:54:46.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-11T06:15:43.787",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-02 18:15
Modified
2024-11-21 07:30
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf | Mitigation, Third Party Advisory | |
| security-advisories@github.com | https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102 | Release Notes, Vendor Advisory | |
| security-advisories@github.com | https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DA805-D8FD-4A9A-BFA8-1641B3B9F2B0",
"versionEndExcluding": "2022.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F5F2233-A097-4E2D-BABF-AE1947C45475",
"versionEndExcluding": "2022.11.2",
"versionStartIncluding": "2022.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Las versiones anteriores a 2022.11.2 y 2022.10.2 son vulnerables a la creaci\u00f3n de usuarios no autorizados y a una posible apropiaci\u00f3n de cuentas. Con los flujos predeterminados, los usuarios no autenticados pueden crear nuevas cuentas en authentik. Si existe un flujo que permite la recuperaci\u00f3n de contrase\u00f1as verificadas por correo electr\u00f3nico, se puede utilizar para sobrescribir la direcci\u00f3n de correo electr\u00f3nico de las cuentas de administrador y hacerse cargo de sus cuentas. authentik 2022.11.2 y 2022.10.2 solucionan este problema. Como workaround, se puede crear una pol\u00edtica y vincularla al \"default-user-settings-flow flow\" con el contenido \"return request.user.is_authenticated\"."
}
],
"id": "CVE-2022-46145",
"lastModified": "2024-11-21T07:30:11.823",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-02T18:15:12.790",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-06 19:15
Modified
2024-11-21 08:09
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.
This poses a possible security risk when someone has flows or policies that check the user's IP address, e.g. when they want to ignore the user's 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account's log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.
Versions 2023.4.3 and 2023.5.5 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C86B38-B11B-493E-A757-FCEA6CAE56C6",
"versionEndExcluding": "2023.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A87D7283-831E-4C9B-9E69-0E7A342A2547",
"versionEndExcluding": "2023.5.5",
"versionStartIncluding": "2023.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.\n\nThis poses a possible security risk when someone has flows or policies that check the user\u0027s IP address, e.g. when they want to ignore the user\u0027s 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account\u0027s log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.\n\nVersions 2023.4.3 and 2023.5.5 contain a patch for this issue.\n"
}
],
"id": "CVE-2023-36456",
"lastModified": "2024-11-21T08:09:45.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T19:15:10.633",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-30 17:15
Modified
2024-11-21 08:58
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "026E19BC-D2BB-4B89-916F-565B498F0C87",
"versionEndExcluding": "2023.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E579B4B-ACB8-4917-915B-D0FB5FC17F64",
"versionEndExcluding": "2023.10.7",
"versionStartIncluding": "2023.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue."
},
{
"lang": "es",
"value": "Authentik es un proveedor de identidades de c\u00f3digo abierto. Hay un error en nuestra implementaci\u00f3n de PKCE que permite a un atacante eludir la protecci\u00f3n que ofrece PKCE. PKCE agrega el par\u00e1metro code_challenge a la solicitud de autorizaci\u00f3n y agrega el par\u00e1metro code_verifier a la solicitud de token. Antes de 2023.8.7 y 2023.10.7, es posible un escenario de degradaci\u00f3n: si el atacante elimina el par\u00e1metro code_challenge de la solicitud de autorizaci\u00f3n, authentik no realizar\u00e1 la verificaci\u00f3n PKCE. Debido a este error, un atacante puede eludir la protecci\u00f3n que ofrece PKCE, como los ataques CSRF y los ataques de inyecci\u00f3n de c\u00f3digo. Las versiones 2023.8.7 y 2023.10.7 solucionan el problema."
}
],
"id": "CVE-2024-23647",
"lastModified": "2024-11-21T08:58:05.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-30T17:15:10.913",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-04 01:15
Modified
2024-11-21 07:51
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4B39B737-14DF-4B5D-938C-338BD68EAD5B",
"versionEndExcluding": "2022.12.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F75C81B-6266-4AAB-9EF0-C557B5A9C6BE",
"versionEndIncluding": "2023.1.3",
"versionStartExcluding": "2023.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6663DCB6-5163-4576-AAC1-EFCBE0CEE0CD",
"versionEndIncluding": "2023.2.3",
"versionStartExcluding": "2023.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context[\u0027is_restored\u0027]`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.\n"
}
],
"id": "CVE-2023-26481",
"lastModified": "2024-11-21T07:51:36.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-04T01:15:10.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-31 16:15
Modified
2024-11-21 08:28
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5889E9B4-DDA1-474A-A1AB-1483E2F5FDE8",
"versionEndExcluding": "2023.8.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA3E7BC0-8AEE-4861-949A-86818D17DEFD",
"versionEndExcluding": "2023.10.2",
"versionStartIncluding": "2023.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users\u0027 password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidades de c\u00f3digo abierto. Antes de las versiones 2023.8.4 y 2023.10.2, cuando se eliminaba el usuario administrador predeterminado, era posible que un atacante estableciera la contrase\u00f1a del usuario administrador predeterminado sin ninguna autenticaci\u00f3n. authentik utiliza un modelo para crear el usuario administrador predeterminado, que tambi\u00e9n puede establecer opcionalmente la contrase\u00f1a de los usuarios administradores predeterminados desde una variable de entorno. Cuando se elimina el usuario, el flujo de \"configuraci\u00f3n inicial\" utilizado para configurar authentik despu\u00e9s de la primera instalaci\u00f3n vuelve a estar disponible. authentik 2023.8.4 y 2023.10.2 solucionan este problema. Como workaround, aseg\u00farese de que el usuario administrador predeterminado (nombre de usuario `akadmin`) exista y tenga una contrase\u00f1a establecida. Se recomienda utilizar una contrase\u00f1a muy segura para este usuario y guardarla en un lugar seguro como un administrador de contrase\u00f1as. Tambi\u00e9n es posible desactivar el usuario para evitar inicios de sesi\u00f3n como akaadmin."
}
],
"id": "CVE-2023-46249",
"lastModified": "2024-11-21T08:28:09.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-31T16:15:09.853",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-27 16:15
Modified
2025-08-21 19:28
Severity ?
Summary
authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64784B4C-46C6-4F7A-947B-167A29072B70",
"versionEndExcluding": "2024.6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "424378D1-E5DB-446E-AC2A-05BF49F0EF44",
"versionEndExcluding": "2024.8.3",
"versionStartIncluding": "2024.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren\u0027t allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Antes de las versiones 2024.8.3 y 2024.6.5, los tokens de acceso emitidos para una aplicaci\u00f3n pueden ser robados por esa aplicaci\u00f3n y utilizados para hacerse pasar por el usuario frente a cualquier otro proveedor de proxy. Adem\u00e1s, un usuario puede robar un token de acceso que se le emiti\u00f3 leg\u00edtimamente para una aplicaci\u00f3n y utilizarlo para acceder a otra aplicaci\u00f3n a la que no tiene permitido acceder. Cualquier persona que tenga m\u00e1s de una aplicaci\u00f3n de proveedor de proxy con diferentes dominios de confianza o diferentes controles de acceso se ve afectada. Las versiones 2024.8.3 y 2024.6.5 solucionan el problema."
}
],
"id": "CVE-2024-47077",
"lastModified": "2025-08-21T19:28:20.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-09-27T16:15:06.043",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/authentik/providers/oauth2/views/introspection.py#L42-L51"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/internal/outpost/proxyv2/application/auth_bearer.go#L30-L36"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/22e586bd8cdc3d1db8a0f18314d76f82371129b2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/57a31b5dd16d4adce716b9878455c0d6f58155fe"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-28 15:15
Modified
2025-08-21 18:40
Severity ?
Summary
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3104958-390A-4381-A349-4DABD54946A3",
"versionEndExcluding": "2024.12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "404872BD-F45D-49C0-AEC3-E47455908656",
"versionEndExcluding": "2025.2.3",
"versionStartIncluding": "2025.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate."
},
{
"lang": "es",
"value": "Authentik es un proveedor de identidad de c\u00f3digo abierto. Antes de las versiones 2024.12.4 y 2025.2.3, cuando Authentik se configuraba para usar la base de datos para el almacenamiento de sesiones (una configuraci\u00f3n no predeterminada), la eliminaci\u00f3n de sesiones mediante la interfaz web o la API no revocaba la sesi\u00f3n y el titular de la sesi\u00f3n segu\u00eda teniendo acceso a Authentik. Las versiones 2025.2.3 y 2024.12.4 de Authentik solucionan este problema. Se recomienda cambiar al almacenamiento de sesiones en cach\u00e9 hasta que se pueda actualizar la instancia de Authentik. Sin embargo, esto tambi\u00e9n eliminar\u00e1 todas las sesiones existentes y los usuarios deber\u00e1n volver a autenticarse."
}
],
"id": "CVE-2025-29928",
"lastModified": "2025-08-21T18:40:56.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-28T15:15:49.587",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-27 16:15
Modified
2025-08-21 19:28
Severity ?
Summary
authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64784B4C-46C6-4F7A-947B-167A29072B70",
"versionEndExcluding": "2024.6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "424378D1-E5DB-446E-AC2A-05BF49F0EF44",
"versionEndExcluding": "2024.8.3",
"versionStartIncluding": "2024.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn\u0027t correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Una vulnerabilidad que existe en versiones anteriores a 2024.8.3 y 2024.6.5 permite omitir el inicio de sesi\u00f3n con contrase\u00f1a agregando el encabezado X-Forwarded-For con una direcci\u00f3n IP que no se puede analizar, por ejemplo, `a`. Esto genera la posibilidad de iniciar sesi\u00f3n en cualquier cuenta con un nombre de usuario o una direcci\u00f3n de correo electr\u00f3nico conocidos. La vulnerabilidad requiere que la instancia de authentik conf\u00ede en el encabezado X-Forwarded-For proporcionado por el atacante, por lo que no es reproducible desde hosts externos en un entorno configurado correctamente. El problema ocurre debido a que la etapa de contrase\u00f1a tiene una pol\u00edtica vinculada a ella, que omite la etapa de contrase\u00f1a si la etapa de identificaci\u00f3n est\u00e1 configurada para contener tambi\u00e9n una etapa de contrase\u00f1a. Debido al encabezado X-Forwarded-For no v\u00e1lido, que no se valida como una direcci\u00f3n IP con la suficiente anticipaci\u00f3n, la excepci\u00f3n ocurre m\u00e1s tarde y la pol\u00edtica falla. El modelo predeterminado no establece correctamente `failure_result` en `True` en el enlace de pol\u00edtica, lo que significa que debido a esta excepci\u00f3n, la pol\u00edtica devuelve falso y se omite la etapa de contrase\u00f1a. Las versiones 2024.8.3 y 2024.6.5 solucionan este problema."
}
],
"id": "CVE-2024-47070",
"lastModified": "2025-08-21T19:28:44.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-09-27T16:15:05.413",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/dd8f809161e738b25765797eb2a5c77a7d3fc2cf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-28 07:15
Modified
2024-11-21 07:30
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Summary
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99BE347E-A6BA-42EA-98CE-AFAE2F5D4A37",
"versionEndExcluding": "2022.10.4",
"versionStartIncluding": "2022.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F1325E1-8B8D-4E34-A443-646C43280671",
"versionEndExcluding": "2022.11.4",
"versionStartIncluding": "2022.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto centrado en la flexibilidad y la versatilidad. En versiones anteriores a 2022.10.4 y 2022.11.4, cualquier usuario autenticado puede crear una cantidad arbitraria de cuentas a trav\u00e9s de los flujos predeterminados. Esto omitir\u00eda cualquier pol\u00edtica en una situaci\u00f3n en la que no sea deseable que los usuarios creen nuevas cuentas por s\u00ed mismos. Esto tambi\u00e9n puede afectar a otras aplicaciones, ya que estas nuevas cuentas b\u00e1sicas existir\u00edan en toda la infraestructura de SSO. De forma predeterminada, no se puede iniciar sesi\u00f3n en las cuentas reci\u00e9n creadas ya que no existe ning\u00fan restablecimiento de contrase\u00f1a. Sin embargo, es probable que la mayor\u00eda de las instalaciones habiliten el restablecimiento de contrase\u00f1as. Esta vulnerabilidad pertenece al contexto de usuario utilizado en el flujo de configuraci\u00f3n de usuario predeterminado, /api/v3/flows/instances/default-user-settings-flow/execute/. Este problema se solucion\u00f3 en las versiones 2022.10.4 y 2022.11.4."
}
],
"id": "CVE-2022-46172",
"lastModified": "2024-11-21T07:30:15.367",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-28T07:15:07.833",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-21 18:15
Modified
2025-08-21 19:21
Severity ?
Summary
authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D6FAD6-4BD7-49C5-91B2-617B941B0A8A",
"versionEndExcluding": "2024.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "132F56EF-21BE-4A30-BCEA-516701EB7F30",
"versionEndExcluding": "2024.10.3",
"versionStartIncluding": "2024.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven\u0027t been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Al usar las concesiones OAuth client_credentials o device_code, era posible que un atacante obtuviera un token de authentik con \u00e1mbitos que no se hab\u00edan configurado en authentik. authentik 2024.8.5 y 2024.10.3 solucionan este problema."
}
],
"id": "CVE-2024-52287",
"lastModified": "2025-08-21T19:21:32.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-21T18:15:11.570",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c322138eea2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-28 01:15
Modified
2024-11-21 06:48
Severity ?
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12A5674E-2BD7-4C86-9748-0080DC1D8DE3",
"versionEndExcluding": "2022.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F1325E1-8B8D-4E34-A443-646C43280671",
"versionEndExcluding": "2022.11.4",
"versionStartIncluding": "2022.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it\u0027s a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidades de c\u00f3digo abierto centrado en la flexibilidad y la versatilidad. Las versiones anteriores a 2022.11.4 y 2022.10.4 son vulnerables a una autenticaci\u00f3n incorrecta. La reutilizaci\u00f3n de tokens en las URL de invitaci\u00f3n conduce a eludir el control de acceso mediante el uso de un flujo de inscripci\u00f3n diferente al proporcionado. La vulnerabilidad permite a un atacante que conoce diferentes nombres de flujos de invitaci\u00f3n (por ejemplo, `inscripci\u00f3n-invitaci\u00f3n-prueba` y `inscripci\u00f3n-invitaci\u00f3n-admin`) a trav\u00e9s de diferentes enlaces de invitaci\u00f3n o mediante fuerza bruta registrarse a trav\u00e9s de una \u00fanica URL de invitaci\u00f3n para cualquier enlace de invitaci\u00f3n v\u00e1lido recibido (incluso puede ser una URL para un tercer flujo siempre que sea una invitaci\u00f3n v\u00e1lida), ya que el token utilizado en la secci\u00f3n \"Invitaciones\" de la interfaz de administraci\u00f3n NO cambia cuando se selecciona un \"flujo de inscripci\u00f3n\" diferente a trav\u00e9s de la interfaz y NO est\u00e1 vinculado al flujo seleccionado, por lo que ser\u00e1 v\u00e1lido para cualquier flujo cuando se utilice. Este problema se solucion\u00f3 en authentik 2022.11.4,2022.10.4 y 2022.12.0. Solo se ven afectadas las configuraciones que usan invitaciones y tienen m\u00faltiples flujos de inscripci\u00f3n con etapas de invitaci\u00f3n que otorgan diferentes permisos. La configuraci\u00f3n predeterminada no es vulnerable, como tampoco lo son las configuraciones con un \u00fanico flujo de inscripci\u00f3n. Como workaround, se pueden agregar datos fijos a las invitaciones que se pueden verificar en el flujo para rechazar solicitudes. Alternativamente, se puede utilizar un identificador con alta entrop\u00eda (como un UUID) como flow slug, mitigando el vector de ataque al disminuir exponencialmente la posibilidad de descubrir otros flujos."
}
],
"id": "CVE-2022-23555",
"lastModified": "2024-11-21T06:48:48.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-28T01:15:10.133",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-28 18:15
Modified
2025-08-21 16:14
Severity ?
Summary
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED1F1937-A547-440E-8D37-5830973FDB91",
"versionEndExcluding": "2024.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB436255-F93A-4090-96AE-3AF72C6F68E2",
"versionEndExcluding": "2024.4.3",
"versionStartIncluding": "2024.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.\n"
},
{
"lang": "es",
"value": "authentik es un proveedor de identidades de c\u00f3digo abierto que enfatiza la flexibilidad y la versatilidad. El mecanismo Authentik API-Access-Token se puede explotar para obtener privilegios de usuario administrador. Una explotaci\u00f3n exitosa del problema dar\u00e1 como resultado que un usuario obtenga acceso de administrador completo a la aplicaci\u00f3n Authentik, incluido el restablecimiento de contrase\u00f1as de usuario y m\u00e1s. Este problema se solucion\u00f3 en las versiones 2024.2.4, 2024.4.2 y 2024.6.0."
}
],
"id": "CVE-2024-37905",
"lastModified": "2025-08-21T16:14:04.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-06-28T18:15:04.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-21 18:15
Modified
2025-08-21 19:19
Severity ?
Summary
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D6FAD6-4BD7-49C5-91B2-617B941B0A8A",
"versionEndExcluding": "2024.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "132F56EF-21BE-4A30-BCEA-516701EB7F30",
"versionEndExcluding": "2024.10.3",
"versionStartIncluding": "2024.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Debido al uso de una comparaci\u00f3n de tiempo no constante para el endpoint /-/metrics/, fue posible forzar la SECRET_KEY, que se utiliza para autenticar el endpoint. El endpoint /-/metrics/ devuelve m\u00e9tricas de Prometheus y no est\u00e1 destinado a ser accedido directamente, ya que el proxy Go que se ejecuta en el contenedor del servidor authentik obtiene datos de este endpoint y los entrega en un puerto separado (9300 de manera predeterminada), que Prometheus puede extraer sin exponerlo p\u00fablicamente. authentik 2024.8.5 y 2024.10.3 solucionan este problema. Dado que el endpoint /-/metrics/ no est\u00e1 destinado a ser accedido p\u00fablicamente, las solicitudes al endpoint pueden ser bloqueadas por el proxy inverso/balanceador de carga utilizado junto con authentik."
}
],
"id": "CVE-2024-52307",
"lastModified": "2025-08-21T19:19:21.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-21T18:15:12.443",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/11/27/1"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-04 14:15
Modified
2025-08-21 18:41
Severity ?
Summary
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cvd@cert.pl | https://cert.pl/en/posts/2025/02/CVE-2024-11623/ | Third Party Advisory | |
| cvd@cert.pl | https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability | Vendor Advisory | |
| cvd@cert.pl | https://github.com/goauthentik/authentik/pull/12092 | Issue Tracking, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE680A3E-3961-45F9-BB43-BA7AE7825398",
"versionEndExcluding": "2024.10.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authentik project is vulnerable to Stored XSS attacks through\u00a0uploading crafted SVG files that are used as application icons.\u00a0\nThis action could only be performed by an authenticated admin user.\nThe issue was fixed in\u00a02024.10.4 release."
},
{
"lang": "es",
"value": "El proyecto Authentik es vulnerable a ataques XSS almacenado mediante la carga de archivos SVG manipulados espec\u00edficamente para usarse como \u00edconos de aplicaciones. Esta acci\u00f3n solo la puede realizar un usuario administrador autenticado. El problema se solucion\u00f3 en la versi\u00f3n 2024.10.4."
}
],
"id": "CVE-2024-11623",
"lastModified": "2025-08-21T18:41:13.607",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cvd@cert.pl",
"type": "Secondary"
}
]
},
"published": "2025-02-04T14:15:30.480",
"references": [
{
"source": "cvd@cert.pl",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/en/posts/2025/02/CVE-2024-11623/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability"
},
{
"source": "cvd@cert.pl",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/goauthentik/authentik/pull/12092"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-23 21:15
Modified
2025-08-21 18:35
Severity ?
Summary
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B67336A3-1BC2-473D-98B4-FAAC2D013B30",
"versionEndExcluding": "2025.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "644FC67A-CE30-4952-B9FA-2BE2DC6E9582",
"versionEndExcluding": "2025.6.4",
"versionStartIncluding": "2025.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto que prioriza la flexibilidad y la versatilidad, compatible con una amplia gama de protocolos. En las versiones 2025.4.4 y anteriores, as\u00ed como en las versiones 2025.6.0-rc1 a 2025.6.3, los usuarios desactivados que se registraron mediante OAuth/SAML o vincularon sus cuentas a proveedores de OAuth/SAML a\u00fan pueden conservar acceso parcial al sistema a pesar de que sus cuentas est\u00e9n desactivadas. Al final, se encuentran en un estado de autenticaci\u00f3n parcial, donde no pueden acceder a la API, pero, fundamentalmente, pueden autorizar aplicaciones si conocen la URL de la aplicaci\u00f3n. Para solucionar este problema, los desarrolladores pueden agregar una pol\u00edtica de expresi\u00f3n a la etapa de inicio de sesi\u00f3n del usuario en el flujo de autenticaci\u00f3n correspondiente con la expresi\u00f3n `return request.context[\"pending_user\"].is_active`. Esta modificaci\u00f3n garantiza que la declaraci\u00f3n `return` solo active la etapa de inicio de sesi\u00f3n del usuario cuando este est\u00e9 activo. Este problema se solucion\u00f3 en las versiones authentik 2025.4.4 y 2025.6.4."
}
],
"id": "CVE-2025-53942",
"lastModified": "2025-08-21T18:35:27.017",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-23T21:15:26.777",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-22 16:15
Modified
2025-08-21 19:29
Severity ?
Summary
authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F1C215F-F622-4D62-B101-18D37540F911",
"versionEndExcluding": "2024.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F1E4F3-409D-43EF-A80E-D0FD8E9DA6B1",
"versionEndExcluding": "2024.6.4",
"versionStartIncluding": "2024.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/\u003cuuid\u003e/view_certificate/, /api/v3/crypto/certificatekeypairs/\u003cuuid\u003e/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidades de c\u00f3digo abierto. Los usuarios pueden acceder a varios endpoints de API sin la autenticaci\u00f3n/autorizaci\u00f3n correcta. Los principales endpoints de API afectados por esto son /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/ y /api/v3/.../ used_by/. Tenga en cuenta que todos los endpoints de API afectados requieren el conocimiento del ID de un objeto, que, especialmente en el caso de los certificados, no es accesible para un usuario sin privilegios. Adem\u00e1s, los ID de la mayor\u00eda de los objetos son UUIDv4, lo que significa que no son f\u00e1ciles de adivinar ni enumerar. authentik 2024.4.4, 2024.6.4 y 2024.8.0 solucionan este problema."
}
],
"id": "CVE-2024-42490",
"lastModified": "2025-08-21T19:29:02.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-08-22T16:15:09.117",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-27 15:15
Modified
2025-08-21 18:39
Severity ?
Summary
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16A84A7A-BC77-42EF-814C-150D3C7699AF",
"versionEndExcluding": "2025.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B47F1591-60C9-43F2-AC9D-F2FE0A51BAA8",
"versionEndExcluding": "2025.6.3",
"versionStartIncluding": "2025.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect."
},
{
"lang": "es",
"value": "Authentik es un proveedor de identidad de c\u00f3digo abierto. Tras autorizar el acceso a un endpoint RAC, Authentik crea un token que se utiliza para una \u00fanica conexi\u00f3n y se env\u00eda al cliente en la URL. Este token est\u00e1 dise\u00f1ado para ser v\u00e1lido \u00fanicamente durante la sesi\u00f3n del usuario que autoriz\u00f3 la conexi\u00f3n; sin embargo, esta comprobaci\u00f3n no est\u00e1 disponible en versiones anteriores a 2025.6.3 y 2025.4.3. Por ejemplo, al usar RAC durante una pantalla compartida, un usuario malintencionado podr\u00eda acceder a la misma sesi\u00f3n copiando la URL del navegador mostrado. Authentik 2025.4.3 y 2025.6.3 soluciona este problema. Como soluci\u00f3n alternativa, se recomienda reducir la validez de un token (por ejemplo, en la configuraci\u00f3n del proveedor RAC, establezca la caducidad de la conexi\u00f3n en `minutos=5`). Los desarrolladores de Authentik tambi\u00e9n recomiendan habilitar la opci\u00f3n \"Eliminar autorizaci\u00f3n al desconectar\"."
}
],
"id": "CVE-2025-52553",
"lastModified": "2025-08-21T18:39:24.357",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-27T15:15:25.143",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/0e07414e9739b318cff9401a413a5fe849545325"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/65373ab21711d58147b5cb9276c5b5876baaa5eb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/7100d3c6741853f1cfe3ea2073ba01823ab55caa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr3v-9p2c-chx7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-21 18:15
Modified
2025-08-21 19:19
Severity ?
Summary
authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation. authentik 2024.8.5 and 2024.10.3 fix this issue. As a workaround, When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik | * | |
| goauthentik | authentik | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D6FAD6-4BD7-49C5-91B2-617B941B0A8A",
"versionEndExcluding": "2024.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "132F56EF-21BE-4A30-BCEA-516701EB7F30",
"versionEndExcluding": "2024.10.3",
"versionStartIncluding": "2024.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.\nWhen no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation. authentik 2024.8.5 and 2024.10.3 fix this issue. As a workaround, When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\\.`."
},
{
"lang": "es",
"value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Las URI de redireccionamiento en el proveedor OAuth2 en authentik se verifican mediante una comparaci\u00f3n de RegEx. Cuando no se configuran URI de redireccionamiento en un proveedor, authentik usar\u00e1 autom\u00e1ticamente el primer valor redirect_uri recibido como una URI de redireccionamiento permitida, sin escapar caracteres que tengan un significado especial en RegEx. De manera similar, la documentaci\u00f3n tampoco tom\u00f3 esto en consideraci\u00f3n. Dado un proveedor con las URI de redireccionamiento configuradas en https://foo.example.com, un atacante puede registrar un dominio fooaexample.com y pasar\u00e1 la validaci\u00f3n correctamente. authentik 2024.8.5 y 2024.10.3 solucionan este problema. Como workaround, al configurar proveedores OAuth2, aseg\u00farese de escapar cualquier car\u00e1cter comod\u00edn que no est\u00e9 destinado a funcionar como comod\u00edn, por ejemplo, reemplace `.` con `\\.`."
}
],
"id": "CVE-2024-52289",
"lastModified": "2025-08-21T19:19:56.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-21T18:15:12.060",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-185"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2024-47077 (GCVE-0-2024-47077)
Vulnerability from cvelistv5
Published
2024-09-27 15:26
Modified
2024-09-27 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2024.8.0-rc1, < 2024.8.3 Version: < 2024.6.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:51:09.819697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:51:19.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.8.0-rc1, \u003c 2024.8.3"
},
{
"status": "affected",
"version": "\u003c 2024.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren\u0027t allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T15:26:20.683Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9"
},
{
"name": "https://github.com/goauthentik/authentik/commit/22e586bd8cdc3d1db8a0f18314d76f82371129b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/22e586bd8cdc3d1db8a0f18314d76f82371129b2"
},
{
"name": "https://github.com/goauthentik/authentik/commit/57a31b5dd16d4adce716b9878455c0d6f58155fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/57a31b5dd16d4adce716b9878455c0d6f58155fe"
},
{
"name": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/authentik/providers/oauth2/views/introspection.py#L42-L51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/authentik/providers/oauth2/views/introspection.py#L42-L51"
},
{
"name": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/internal/outpost/proxyv2/application/auth_bearer.go#L30-L36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/blob/70b5a214f2e7205572f914aaf68682501b9f5945/internal/outpost/proxyv2/application/auth_bearer.go#L30-L36"
}
],
"source": {
"advisory": "GHSA-8gfm-pr6x-pfh9",
"discovery": "UNKNOWN"
},
"title": "authentik cross-provider token validation problems"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47077",
"datePublished": "2024-09-27T15:26:20.683Z",
"dateReserved": "2024-09-17T17:42:37.030Z",
"dateUpdated": "2024-09-27T17:51:19.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37905 (GCVE-0-2024-37905)
Vulnerability from cvelistv5
Published
2024-06-28 17:09
Modified
2024-08-02 04:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.6.0 Version: < 2024.4.2 Version: < 2024.2.4 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T17:03:36.338117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T17:10:49.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:23.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.6.0"
},
{
"status": "affected",
"version": "\u003c 2024.4.2"
},
{
"status": "affected",
"version": "\u003c 2024.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T17:09:24.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
}
],
"source": {
"advisory": "GHSA-c78c-2r9w-p7x4",
"discovery": "UNKNOWN"
},
"title": "Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37905",
"datePublished": "2024-06-28T17:09:24.090Z",
"dateReserved": "2024-06-10T19:54:41.362Z",
"dateUpdated": "2024-08-02T04:04:23.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29928 (GCVE-0-2025-29928)
Vulnerability from cvelistv5
Published
2025-03-28 14:42
Modified
2025-03-28 15:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation
Summary
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.12.4 Version: < 2025.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:41:23.096500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:41:39.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.12.4"
},
{
"status": "affected",
"version": "\u003c 2025.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T14:42:39.542Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p"
},
{
"name": "https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6"
}
],
"source": {
"advisory": "GHSA-p6p8-f853-9g2p",
"discovery": "UNKNOWN"
},
"title": "authentik\u0027s deletion of sessions did not revoke sessions when using database session storage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29928",
"datePublished": "2025-03-28T14:42:39.542Z",
"dateReserved": "2025-03-12T13:42:22.136Z",
"dateUpdated": "2025-03-28T15:41:39.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21637 (GCVE-0-2024-21637)
Vulnerability from cvelistv5
Published
2024-01-11 05:49
Modified
2025-06-17 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: <= 2023.10.5 Version: <= 2023.8.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-11T15:41:43.872045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:09:15.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c= 2023.10.5"
},
{
"status": "affected",
"version": "\u003c= 2023.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T05:49:44.123Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6"
}
],
"source": {
"advisory": "GHSA-rjpr-7w8c-gv3j",
"discovery": "UNKNOWN"
},
"title": "XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21637",
"datePublished": "2024-01-11T05:49:44.123Z",
"dateReserved": "2023-12-29T03:00:44.957Z",
"dateUpdated": "2025-06-17T21:09:15.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42490 (GCVE-0-2024-42490)
Vulnerability from cvelistv5
Published
2024-08-22 15:34
Modified
2024-08-22 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.4.4 Version: >= 2024.6.0-rc1, < 2024.6.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T16:04:13.415208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T16:04:32.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.4.4"
},
{
"status": "affected",
"version": "\u003e= 2024.6.0-rc1, \u003c 2024.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/\u003cuuid\u003e/view_certificate/, /api/v3/crypto/certificatekeypairs/\u003cuuid\u003e/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T15:34:45.815Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8"
},
{
"name": "https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c"
},
{
"name": "https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11"
}
],
"source": {
"advisory": "GHSA-qxqc-27pr-wgc8",
"discovery": "UNKNOWN"
},
"title": "authentik has Insufficient Authorization for several API endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42490",
"datePublished": "2024-08-22T15:34:45.815Z",
"dateReserved": "2024-08-02T14:13:04.618Z",
"dateUpdated": "2024-08-22T16:04:32.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46249 (GCVE-0-2023-46249)
Vulnerability from cvelistv5
Published
2023-10-31 15:20
Modified
2024-09-05 15:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2023.8.4 Version: >= 2023.10.0, < 2023.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w"
},
{
"name": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0"
},
{
"name": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2023.10.2",
"status": "affected",
"version": "2023.10.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T15:53:19.845105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T15:55:53.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.8.4"
},
{
"status": "affected",
"version": "\u003e= 2023.10.0, \u003c 2023.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users\u0027 password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T15:20:35.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w"
},
{
"name": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0"
},
{
"name": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4"
}
],
"source": {
"advisory": "GHSA-rjvp-29xq-f62w",
"discovery": "UNKNOWN"
},
"title": "authentik potential installation takeover when default admin user is deleted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46249",
"datePublished": "2023-10-31T15:20:35.166Z",
"dateReserved": "2023-10-19T20:34:00.948Z",
"dateUpdated": "2024-09-05T15:55:53.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48228 (GCVE-0-2023-48228)
Vulnerability from cvelistv5
Published
2023-11-21 20:48
Modified
2024-08-02 21:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2023.10.4 Version: < 2023.8.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7666",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/pull/7666"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7668",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/pull/7668"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7669",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/pull/7669"
},
{
"name": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6"
},
{
"name": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5"
},
{
"name": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14"
},
{
"name": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.10.4"
},
{
"status": "affected",
"version": "\u003c 2023.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T20:48:32.552Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7666",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/pull/7666"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/pull/7668"
},
{
"name": "https://github.com/goauthentik/authentik/pull/7669",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/pull/7669"
},
{
"name": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6"
},
{
"name": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5"
},
{
"name": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14"
},
{
"name": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5"
}
],
"source": {
"advisory": "GHSA-fm34-v8xq-f2c3",
"discovery": "UNKNOWN"
},
"title": "OAuth2: PKCE can be fully circumvented"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48228",
"datePublished": "2023-11-21T20:48:32.552Z",
"dateReserved": "2023-11-13T13:25:18.481Z",
"dateUpdated": "2024-08-02T21:23:39.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11623 (GCVE-0-2024-11623)
Vulnerability from cvelistv5
Published
2025-02-04 13:34
Modified
2025-02-12 17:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: 0 < 2024.10.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:05:36.465208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T17:10:12.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "authentik",
"repo": "https://github.com/goauthentik/authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.10.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Basta (NASK-PIB)"
}
],
"datePublic": "2025-02-04T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentik project is vulnerable to Stored XSS attacks through\u0026nbsp;uploading crafted SVG files that are used as application icons.\u0026nbsp;\u003cbr\u003eThis action could only be performed by an authenticated admin user.\u003cbr\u003eThe issue was fixed in\u0026nbsp;2024.10.4 release."
}
],
"value": "Authentik project is vulnerable to Stored XSS attacks through\u00a0uploading crafted SVG files that are used as application icons.\u00a0\nThis action could only be performed by an authenticated admin user.\nThe issue was fixed in\u00a02024.10.4 release."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T13:34:11.029Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability"
},
{
"tags": [
"patch"
],
"url": "https://github.com/goauthentik/authentik/pull/12092"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/02/CVE-2024-11623/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in authentik",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-11623",
"datePublished": "2025-02-04T13:34:11.029Z",
"dateReserved": "2024-11-22T15:12:36.191Z",
"dateUpdated": "2025-02-12T17:10:12.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53942 (GCVE-0-2025-53942)
Vulnerability from cvelistv5
Published
2025-07-23 20:35
Modified
2025-07-23 20:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: <= 2025.4.3, < 2025.4.4 Version: >= 2025.6.0-rc1, < 2025.6.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T20:49:20.375492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:49:29.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c= 2025.4.3, \u003c 2025.4.4"
},
{
"status": "affected",
"version": "\u003e= 2025.6.0-rc1, \u003c 2025.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:35:07.243Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42"
},
{
"name": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd"
},
{
"name": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f"
},
{
"name": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab"
}
],
"source": {
"advisory": "GHSA-9g4j-v8w5-7x42",
"discovery": "UNKNOWN"
},
"title": "authentik has an insufficient check for account active status during OAuth/SAML authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53942",
"datePublished": "2025-07-23T20:35:07.243Z",
"dateReserved": "2025-07-14T17:23:35.262Z",
"dateUpdated": "2025-07-23T20:49:29.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26481 (GCVE-0-2023-26481)
Vulnerability from cvelistv5
Published
2023-03-04 00:30
Modified
2025-02-25 15:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2023.2.3 Version: < 2023.1.3 Version: < 2022.12.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:53.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3"
},
{
"name": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:59.847692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:01:34.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.2.3"
},
{
"status": "affected",
"version": "\u003c 2023.1.3"
},
{
"status": "affected",
"version": "\u003c 2022.12.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context[\u0027is_restored\u0027]`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-04T00:30:16.509Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3"
},
{
"name": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323",
"tags": [
"x_refsource_MISC"
],
"url": "https://goauthentik.io/docs/releases/2023.2#fixed-in-202323"
}
],
"source": {
"advisory": "GHSA-3xf5-pqvf-rqq3",
"discovery": "UNKNOWN"
},
"title": "Insufficient user check in FlowTokens by Email stage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26481",
"datePublished": "2023-03-04T00:30:16.509Z",
"dateReserved": "2023-02-23T23:22:58.574Z",
"dateUpdated": "2025-02-25T15:01:34.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52287 (GCVE-0-2024-52287)
Vulnerability from cvelistv5
Published
2024-11-21 17:23
Modified
2024-11-21 21:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.8.5 Version: >= 2024.10.0-rc1, < 2024.10.3 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.8.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.10.3",
"status": "affected",
"version": "2024.10.0-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T21:05:05.546612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T21:05:11.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.8.5"
},
{
"status": "affected",
"version": "\u003e= 2024.10.0-rc1, \u003c 2024.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven\u0027t been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:23:40.640Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v"
},
{
"name": "https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c322138eea2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c322138eea2"
}
],
"source": {
"advisory": "GHSA-v6m7-8j37-8f4v",
"discovery": "UNKNOWN"
},
"title": "authentik performs insufficient validation of OAuth scopes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52287",
"datePublished": "2024-11-21T17:23:40.640Z",
"dateReserved": "2024-11-06T19:00:26.393Z",
"dateUpdated": "2024-11-21T21:05:11.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23647 (GCVE-0-2024-23647)
Vulnerability from cvelistv5
Published
2024-01-30 16:10
Modified
2025-06-17 21:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2023.8.7 Version: >= 2023.10.0, < 2023.10.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"
},
{
"name": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-31T17:22:55.663962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:18.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.8.7"
},
{
"status": "affected",
"version": "\u003e= 2023.10.0, \u003c 2023.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-30T16:10:55.999Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"
},
{
"name": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"
}
],
"source": {
"advisory": "GHSA-mrx3-gxjx-hjqj",
"discovery": "UNKNOWN"
},
"title": "PKCE downgrade attack in Authentik"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23647",
"datePublished": "2024-01-30T16:10:55.999Z",
"dateReserved": "2024-01-19T00:18:53.234Z",
"dateUpdated": "2025-06-17T21:29:18.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52289 (GCVE-0-2024-52289)
Vulnerability from cvelistv5
Published
2024-11-21 17:18
Modified
2024-11-21 20:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-185 - Incorrect Regular Expression
Summary
authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation. authentik 2024.8.5 and 2024.10.3 fix this issue. As a workaround, When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.8.5 Version: >= 2024.10.0-rc1, < 2024.10.3 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.8.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.10.3",
"status": "affected",
"version": "2024.10.0-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T20:44:55.487746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T20:50:00.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.8.5"
},
{
"status": "affected",
"version": "\u003e= 2024.10.0-rc1, \u003c 2024.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.\nWhen no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation. authentik 2024.8.5 and 2024.10.3 fix this issue. As a workaround, When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\\.`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:18:41.161Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj"
},
{
"name": "https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54"
}
],
"source": {
"advisory": "GHSA-3q5w-6m3x-64gj",
"discovery": "UNKNOWN"
},
"title": "authentik has an insecure default configuration for OAuth2 Redirect URIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52289",
"datePublished": "2024-11-21T17:18:41.161Z",
"dateReserved": "2024-11-06T19:00:26.394Z",
"dateUpdated": "2024-11-21T20:50:00.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46145 (GCVE-0-2022-46145)
Vulnerability from cvelistv5
Published
2022-12-02 17:12
Modified
2025-04-23 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2022.10.2 Version: >= 2022.11.0, < 2022.11.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf"
},
{
"name": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102"
},
{
"name": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:46:15.577977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:33:01.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2022.10.2"
},
{
"status": "affected",
"version": "\u003e= 2022.11.0, \u003c 2022.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-02T17:12:42.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf"
},
{
"name": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102",
"tags": [
"x_refsource_MISC"
],
"url": "https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102"
},
{
"name": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112",
"tags": [
"x_refsource_MISC"
],
"url": "https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112"
}
],
"source": {
"advisory": "GHSA-mjfw-54m5-fvjf",
"discovery": "UNKNOWN"
},
"title": "authentik vulnerable to unauthorized user creation and potential account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46145",
"datePublished": "2022-12-02T17:12:42.046Z",
"dateReserved": "2022-11-28T17:27:19.995Z",
"dateUpdated": "2025-04-23T16:33:01.881Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39522 (GCVE-0-2023-39522)
Vulnerability from cvelistv5
Published
2023-08-29 17:23
Modified
2024-10-01 20:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-203 - Observable Discrepancy
Summary
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both. This issue has been addressed in versions 2023.5.6 and 2023.6.2. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2023.6.0, < 2023.6.2 Version: < 2023.5.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87"
},
{
"name": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T20:19:47.988655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T20:19:58.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2023.6.0, \u003c 2023.6.2"
},
{
"status": "affected",
"version": "\u003c 2023.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users\u0027 existence using the recovery flow, as a clear message is shown when a user doesn\u0027t exist. Depending on configuration this can either be done by username, email, or both. This issue has been addressed in versions 2023.5.6 and 2023.6.2. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T17:23:37.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87"
},
{
"name": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599"
}
],
"source": {
"advisory": "GHSA-vmf9-6pcv-xr87",
"discovery": "UNKNOWN"
},
"title": "Username enumeration attack in goauthentik"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39522",
"datePublished": "2023-08-29T17:23:37.092Z",
"dateReserved": "2023-08-03T16:27:36.262Z",
"dateUpdated": "2024-10-01T20:19:58.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38371 (GCVE-0-2024-38371)
Vulnerability from cvelistv5
Published
2024-06-28 17:58
Modified
2024-08-02 04:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.6.0 Version: < 2024.4.3 Version: < 2024.2.4 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T20:07:42.936032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T20:10:55.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:25.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.6.0"
},
{
"status": "affected",
"version": "\u003c 2024.4.3"
},
{
"status": "affected",
"version": "\u003c 2024.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T17:58:48.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0"
}
],
"source": {
"advisory": "GHSA-jq3m-37m7-gp45",
"discovery": "UNKNOWN"
},
"title": "Insufficient access control for OAuth2 Device Code flow in authentik"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38371",
"datePublished": "2024-06-28T17:58:48.169Z",
"dateReserved": "2024-06-14T14:16:16.466Z",
"dateUpdated": "2024-08-02T04:04:25.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36456 (GCVE-0-2023-36456)
Vulnerability from cvelistv5
Published
2023-07-06 18:24
Modified
2024-11-14 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-436 - Interpretation Conflict
Summary
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.
This poses a possible security risk when someone has flows or policies that check the user's IP address, e.g. when they want to ignore the user's 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account's log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.
Versions 2023.4.3 and 2023.5.5 contain a patch for this issue.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2023.4.3 Version: >= 2023.5.0, < 2023.5.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv"
},
{
"name": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff"
},
{
"name": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a"
},
{
"name": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343"
},
{
"name": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:24.618779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:35.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.4.3"
},
{
"status": "affected",
"version": "\u003e= 2023.5.0, \u003c 2023.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.\n\nThis poses a possible security risk when someone has flows or policies that check the user\u0027s IP address, e.g. when they want to ignore the user\u0027s 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account\u0027s log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.\n\nVersions 2023.4.3 and 2023.5.5 contain a patch for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:24:03.308Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv"
},
{
"name": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff"
},
{
"name": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a"
},
{
"name": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343",
"tags": [
"x_refsource_MISC"
],
"url": "https://goauthentik.io/docs/releases/2023.4#fixed-in-202343"
},
{
"name": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355",
"tags": [
"x_refsource_MISC"
],
"url": "https://goauthentik.io/docs/releases/2023.5#fixed-in-202355"
}
],
"source": {
"advisory": "GHSA-cmxp-jcw7-jjjv",
"discovery": "UNKNOWN"
},
"title": "Authentik lacks Proxy IP headers validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36456",
"datePublished": "2023-07-06T18:24:03.308Z",
"dateReserved": "2023-06-21T18:50:41.698Z",
"dateUpdated": "2024-11-14T14:10:35.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52307 (GCVE-0-2024-52307)
Vulnerability from cvelistv5
Published
2024-11-21 17:14
Modified
2024-11-27 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Observable Timing Discrepancy
Summary
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: < 2024.8.5 Version: >= 2024.10.0-rc1, < 2024.10.3 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.8.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.10.3",
"status": "affected",
"version": "2024.10.0-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T21:05:39.091544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T21:05:44.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-27T16:03:20.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.8.5"
},
{
"status": "affected",
"version": "\u003e= 2024.10.0-rc1, \u003c 2024.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:14:51.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j"
},
{
"name": "https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8"
}
],
"source": {
"advisory": "GHSA-2xrw-5f2x-m56j",
"discovery": "UNKNOWN"
},
"title": "authentik allows a timing attack due to missing constant time comparison for metrics view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52307",
"datePublished": "2024-11-21T17:14:51.677Z",
"dateReserved": "2024-11-06T19:00:26.397Z",
"dateUpdated": "2024-11-27T16:03:20.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47070 (GCVE-0-2024-47070)
Vulnerability from cvelistv5
Published
2024-09-27 15:18
Modified
2024-09-27 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2024.8.0-rc1, < 2024.8.3 Version: < 2024.6.5 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.6.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.8.3",
"status": "affected",
"version": "2024.8.0-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:53:28.310260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:55:55.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.8.0-rc1, \u003c 2024.8.3"
},
{
"status": "affected",
"version": "\u003c 2024.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn\u0027t correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T15:29:58.025Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7"
},
{
"name": "https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29"
},
{
"name": "https://github.com/goauthentik/authentik/commit/dd8f809161e738b25765797eb2a5c77a7d3fc2cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/dd8f809161e738b25765797eb2a5c77a7d3fc2cf"
}
],
"source": {
"advisory": "GHSA-7jxf-mmg9-9hg7",
"discovery": "UNKNOWN"
},
"title": "authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47070",
"datePublished": "2024-09-27T15:18:03.999Z",
"dateReserved": "2024-09-17T17:42:37.029Z",
"dateUpdated": "2024-09-27T17:55:55.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46172 (GCVE-0-2022-46172)
Vulnerability from cvelistv5
Published
2022-12-28 06:16
Modified
2025-04-11 15:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2022.11.0, < 2022.11.4 Version: >= 2022.10.0, < 2022.10.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46172",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:46:29.663612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:46:38.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.11.0, \u003c 2022.11.4"
},
{
"status": "affected",
"version": "\u003e= 2022.10.0, \u003c 2022.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T06:16:21.985Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5"
}
],
"source": {
"advisory": "GHSA-hv8r-6w7p-mpc5",
"discovery": "UNKNOWN"
},
"title": "authentik allows existing authenticated users to create arbitrary accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46172",
"datePublished": "2022-12-28T06:16:21.985Z",
"dateReserved": "2022-11-28T17:27:19.998Z",
"dateUpdated": "2025-04-11T15:46:38.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23555 (GCVE-0-2022-23555)
Vulnerability from cvelistv5
Published
2022-12-28 00:12
Modified
2025-04-11 15:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2022.11.0, < 2022.11.4 Version: < 2022.10.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23555",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:48:09.495994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:48:20.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.11.0, \u003c 2022.11.4"
},
{
"status": "affected",
"version": " \u003c 2022.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it\u0027s a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:12:35.912Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"
}
],
"source": {
"advisory": "GHSA-9qwp-jf7p-vr7h",
"discovery": "UNKNOWN"
},
"title": "authentik vulnerable to Improper Authentication via invitation URL token reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23555",
"datePublished": "2022-12-28T00:12:35.912Z",
"dateReserved": "2022-01-19T21:23:53.802Z",
"dateUpdated": "2025-04-11T15:48:20.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52553 (GCVE-0-2025-52553)
Vulnerability from cvelistv5
Published
2025-06-27 15:03
Modified
2025-06-27 15:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goauthentik | authentik |
Version: >= 2025.6.0-rc1, < 2025.6.3 Version: < 2025.4.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T15:50:01.661992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:50:17.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003e= 2025.6.0-rc1, \u003c 2025.6.3"
},
{
"status": "affected",
"version": "\u003c 2025.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T15:03:13.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr3v-9p2c-chx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-wr3v-9p2c-chx7"
},
{
"name": "https://github.com/goauthentik/authentik/commit/0e07414e9739b318cff9401a413a5fe849545325",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/0e07414e9739b318cff9401a413a5fe849545325"
},
{
"name": "https://github.com/goauthentik/authentik/commit/65373ab21711d58147b5cb9276c5b5876baaa5eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/65373ab21711d58147b5cb9276c5b5876baaa5eb"
},
{
"name": "https://github.com/goauthentik/authentik/commit/7100d3c6741853f1cfe3ea2073ba01823ab55caa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/7100d3c6741853f1cfe3ea2073ba01823ab55caa"
}
],
"source": {
"advisory": "GHSA-wr3v-9p2c-chx7",
"discovery": "UNKNOWN"
},
"title": "authentik has Insufficient Session verification for Remote Access Control endpoint access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52553",
"datePublished": "2025-06-27T15:03:13.015Z",
"dateReserved": "2025-06-18T03:55:52.034Z",
"dateUpdated": "2025-06-27T15:50:17.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}