CVE-2026-40166
published 2026-05-22CVE-2026-40166: authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least…
PriorityP343high7.1CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCLSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.34%
25.5th percentile
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goauthentik | authentik | < 2025.12.5 | 2025.12.5 |
| goauthentik | authentik | — | — |
CVSS provenance
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
goauthentik up to 2025.12.4/2026.2.2 OAuth2 Access Token access_tokens client_id/client_secret information disclosure (GHSA-hhpc-rqgm-pxj4)
vuldb·2026-05-23
CVE-2026-40166 [LOW] goauthentik up to 2025.12.4/2026.2.2 OAuth2 Access Token access_tokens client_id/client_secret information disclosure (GHSA-hhpc-rqgm-pxj4)
A vulnerability was found in goauthentik authentik up to 2025.12.4/2026.2.2. It has been classified as problematic. Affected is an unknown function of the file /api/v3/oauth2/access_tokens/ of the component OAuth2 Access Token Handler. Performing a manipulation of the argument client_id/client_secret results in information disclosure.
This vulnerability is known as CVE-2026-40166. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
CVEList
authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
cvelistv5·2026-05-22·CVSS 7.1
CVE-2026-40166 [HIGH] CWE-200 authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published