Goauthentik Authentik vulnerabilities
36 known vulnerabilities affecting goauthentik/authentik.
Total CVEs
36
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH17MEDIUM10
Vulnerabilities
Page 2 of 2
CVE-2025-29928P3HIGHCVSS 8.0fixed in 2024.12.4≥ 2025.2.0, < 2025.2.3+1 more2025-03-28
CVE-2025-29928 [HIGH] CWE-384 CVE-2025-29928: authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authen
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 202
nvd
CVE-2024-42490P3HIGHCVSS 7.5fixed in 2024.4.4≥ 2024.6.0, < 2024.6.4+1 more2024-08-22
CVE-2024-42490 [HIGH] CWE-285 CVE-2024-42490: authentik is an open-source Identity Provider. Several API endpoints can be accessed by users withou
authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API
nvd
CVE-2026-41577P3HIGHCVSS 7.5fixed in 2025.12.5≥ 2026.2.0, < 2026.2.3+1 more2026-06-02
CVE-2026-41577 [HIGH] CWE-345 CVE-2026-41577: authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML so
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended
nvd
CVE-2026-40166P3HIGHCVSS 7.1fixed in 2025.12.5v>= 2026.2.0-rc1, < 2026.2.32026-05-22
CVE-2026-40166 [HIGH] CWE-200 CVE-2026-40166: authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 throu
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct perm
cvelistv5nvd
CVE-2023-36456P3HIGHCVSS 7.3fixed in 2023.4.3≥ 2023.5.0, < 2023.5.5+1 more2023-07-06
CVE-2023-36456 [HIGH] CWE-436 CVE-2023-36456: authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik do
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresse
nvd
CVE-2024-52287P3HIGHCVSS 7.2fixed in 2024.8.5≥ 2024.10.0, < 2024.10.3+1 more2024-11-21
CVE-2024-52287 [HIGH] CWE-285 CVE-2024-52287: authentik is an open-source identity provider. When using the client_credentials or device_code OAut
authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.
nvd
CVE-2022-46172P3MEDIUMCVSS 6.4≥ 2022.10.0, < 2022.10.4≥ 2022.11.0, < 2022.11.4+2 more2022-12-28
CVE-2022-46172 [MEDIUM] CWE-269 CVE-2022-46172: authentik is an open-source Identity provider focused on flexibility and versatility. In versions pr
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This
nvd
CVE-2024-47077P3MEDIUMCVSS 6.5fixed in 2024.6.5≥ 2024.8.0, < 2024.8.3+1 more2024-09-27
CVE-2024-47077 [MEDIUM] CWE-863 CVE-2024-47077: authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access token
authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another appl
nvd
CVE-2023-26481P3MEDIUMCVSS 6.5fixed in 2022.12.3≤ 2023.1.3+4 more2023-03-04
CVE-2023-26481 [MEDIUM] CWE-345 CVE-2023-26481: authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flo
nvd
CVE-2024-52307P4MEDIUMCVSS 5.6fixed in 2024.8.5≥ 2024.10.0, < 2024.10.3+1 more2024-11-21
CVE-2024-52307 [MEDIUM] CWE-208 CVE-2024-52307: authentik is an open-source identity provider. Due to the usage of a non-constant time comparison fo
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authe
nvd
CVE-2026-41569P4MEDIUMCVSS 6.1fixed in 2026.2.32026-06-02
CVE-2026-41569 [MEDIUM] CWE-601 CVE-2026-41569: authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com
nvd
CVE-2025-64708P4MEDIUMCVSS 5.3≥ 2025.8.0, < 2025.8.5≥ 2025.10.0, < 2025.10.2+2 more2025-11-19
CVE-2025-64708 [MEDIUM] CWE-613 CVE-2025-64708: authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is sched
nvd
CVE-2023-39522P4MEDIUMCVSS 5.3fixed in 2023.5.6≥ 2023.6.0, < 2023.6.2+1 more2023-08-29
CVE-2023-39522 [MEDIUM] CWE-203 CVE-2023-39522: goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their u
nvd
CVE-2024-21637P4MEDIUMCVSS 5.4≥ 2023.8.0, < 2023.8.6≥ 2023.10.0, < 2023.10.6+1 more2024-01-11
CVE-2024-21637 [MEDIUM] CWE-79 CVE-2024-21637: Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site S
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 202
nvd
CVE-2025-64521P4MEDIUMCVSS 4.8≥ 2025.8.0, < 2025.8.5≥ 2025.10.0, < 2025.10.2+2 more2025-11-19
CVE-2025-64521 [MEDIUM] CWE-289 CVE-2025-64521: authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authen
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions
nvd
CVE-2024-11623P4MEDIUMCVSS 4.8fixed in 2024.10.42025-02-04
CVE-2024-11623 [MEDIUM] CWE-79 CVE-2024-11623: Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are u
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.
nvd
← Previous2 / 2