cbcvebase.

Goauthentik Authentik vulnerabilities

36 known vulnerabilities affecting goauthentik/authentik.

Total CVEs
36
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH17MEDIUM10

Vulnerabilities

Page 1 of 2
CVE-2026-40165P2HIGHCVSS 8.7fixed in 2025.12.5v>= 2026.2.0-rc1, < 2026.2.32026-05-21
CVE-2026-40165 [HIGH] CWE-91 CVE-2026-40165: authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-r authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of t
nvd
CVE-2023-46249P2CRITICALCVSS 9.8fixed in 2023.8.4≥ 2023.10.0, < 2023.10.2+1 more2023-10-31
CVE-2023-46249 [CRITICAL] CWE-287 CVE-2023-46249: authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the de authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the de
nvd
CVE-2026-49443P3HIGHCVSS 8.8fixed in 2025.12.6≥ 2026.2.0, < 2026.2.4+3 more2026-06-02
CVE-2026-49443 [HIGH] CWE-287 CVE-2026-49443: authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
nvd
CVE-2022-46145P3CRITICALCVSS 9.8fixed in 2022.10.2≥ 2022.11, < 2022.11.2+1 more2022-12-02
CVE-2022-46145 [CRITICAL] CWE-287 CVE-2022-46145: authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnera authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite th
nvd
CVE-2024-37905P3HIGHCVSS 8.8fixed in 2024.2.4≥ 2024.4.0, < 2024.4.3+2 more2024-06-28
CVE-2024-37905 [HIGH] CWE-284 CVE-2024-37905: authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been
nvd
CVE-2024-47070P3CRITICALCVSS 9.0fixed in 2024.6.5≥ 2024.8.0, < 2024.8.3+1 more2024-09-27
CVE-2024-47070 [CRITICAL] CWE-287 CVE-2024-47070: authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024 authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the
nvd
CVE-2026-49448P3CRITICALCVSS 9.8fixed in 2025.12.6≥ 2026.2.0, < 2026.2.4+3 more2026-06-02
CVE-2026-49448 [CRITICAL] CWE-287 CVE-2026-49448: authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
nvd
CVE-2024-38371P3CRITICALCVSS 9.8fixed in 2024.2.4≥ 2024.4.0, < 2024.4.3+2 more2024-06-28
CVE-2024-38371 [CRITICAL] CWE-284 CVE-2024-38371: authentik is an open-source Identity Provider. Access restrictions assigned to an application were n authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.
nvd
CVE-2026-47201P3HIGHCVSS 8.5fixed in 2025.12.6≥ 2026.2.0, < 2026.2.4+4 more2026-06-02
CVE-2026-47201 [HIGH] CWE-20 CVE-2026-47201: authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue
nvd
CVE-2026-40172P3HIGHCVSS 8.1fixed in 2025.12.5v>= 2026.2.0-rc1, < 2026.2.32026-05-22
CVE-2026-40172 [HIGH] CWE-269 CVE-2026-40172: authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 throu authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privil
cvelistv5nvd
CVE-2023-48228P3CRITICALCVSS 9.8fixed in 2023.8.5≥ 2023.10.0, < 2023.10.4+1 more2023-11-21
CVE-2023-48228 [CRITICAL] CWE-287 CVE-2023-48228: authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challeng authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of
nvd
CVE-2026-25922P3HIGHCVSS 8.8fixed in 2025.8.6≥ 2025.10.0, < 2025.10.4+3 more2026-02-12
CVE-2026-25922 [HIGH] CWE-287 CVE-2026-25922: authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when usi authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, or does not have the Encryption Certificate setting under Advanced Protocol settings configured, it was possible fo
nvd
CVE-2026-25748P3HIGHCVSS 7.5fixed in 2025.10.4≥ 2025.12.0, < 2025.12.4+2 more2026-02-12
CVE-2026-25748 [HIGH] CWE-287 CVE-2026-25748: authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed co authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik
nvd
CVE-2025-52553P3CRITICALCVSS 9.6fixed in 2025.4.3≥ 2025.6.0, < 2025.6.3+1 more2025-06-27
CVE-2025-52553 [CRITICAL] CWE-287 CVE-2025-52553: authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6
nvd
CVE-2022-23555P3HIGHCVSS 8.8fixed in 2022.10.4≥ 2022.11.0, < 2022.11.4+2 more2022-12-28
CVE-2022-23555 [HIGH] CWE-287 CVE-2022-23555: authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows dif
nvd
CVE-2024-52289P3CRITICALCVSS 9.8fixed in 2024.8.5≥ 2024.10.0, < 2024.10.3+1 more2024-11-21
CVE-2024-52289 [CRITICAL] CWE-185 CVE-2024-52289: authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Si
nvd
CVE-2026-42849P3CRITICALCVSS 9.3fixed in 2025.12.5≥ 2026.2.0, < 2026.2.3+1 more2026-06-02
CVE-2026-42849 [CRITICAL] CWE-79 CVE-2026-42849: authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.
nvd
CVE-2024-23647P3HIGHCVSS 8.8fixed in 2023.8.7≥ 2023.10.0, < 2023.10.7+1 more2024-01-30
CVE-2024-23647 [HIGH] CWE-287 CVE-2024-23647: Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that all Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possib
nvd
CVE-2025-53942P3HIGHCVSS 7.4fixed in 2025.4.4≥ 2025.6.0, < 2025.6.4+2 more2025-07-23
CVE-2025-53942 [HIGH] CWE-269 CVE-2025-53942: authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with supp authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to
nvd
CVE-2026-25227P3HIGHCVSS 7.2≥ 2021.3.1, < 2025.8.6≥ 2025.10.0, < 2025.10.4+4 more2026-02-12
CVE-2026-25227 [HIGH] CWE-94 CVE-2026-25227: authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025 authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able to execute arbitrary code within the authentik server container through the test endpoint, which is intended to prev
nvd
Goauthentik Authentik vulnerabilities | cvebase