CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11623 – Stored XSS in authentik
https://notcve.org/view.php?id=CVE-2024-11623
04 Feb 2025 — Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release. Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release. • https://cert.pl/en/posts/2025/02/CVE-2024-11623 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52289 – authentik has an insecure default configuration for OAuth2 Redirect URIs
https://notcve.org/view.php?id=CVE-2024-52289
21 Nov 2024 — authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can reg... • https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54 • CWE-185: Incorrect Regular Expression •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52307 – authentik allows a timing attack due to missing constant time comparison for metrics view
https://notcve.org/view.php?id=CVE-2024-52307
21 Nov 2024 — authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being expose... • https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8 • CWE-208: Observable Timing Discrepancy •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47077 – authentik cross-provider token validation problems
https://notcve.org/view.php?id=CVE-2024-47077
27 Sep 2024 — authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is a... • https://github.com/goauthentik/authentik/security/advisories/GHSA-8gfm-pr6x-pfh9 • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47070 – authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header
https://notcve.org/view.php?id=CVE-2024-47070
27 Sep 2024 — authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment.... • https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7 • CWE-287: Improper Authentication •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38371 – Insufficient access control for OAuth2 Device Code flow in authentik
https://notcve.org/view.php?id=CVE-2024-38371
28 Jun 2024 — authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3. authentik es un proveedor de identidades de código abierto. Las restricciones de acceso asignadas a una aplicación no se verificaron cuando se utilizó el flujo de ... • https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 • CWE-284: Improper Access Control CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37905 – Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik
https://notcve.org/view.php?id=CVE-2024-37905
28 Jun 2024 — authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0. authentik es un proveedor de identidades de código abierto que enfatiza la flexibilidad y la versatilida... • https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23647 – PKCE downgrade attack in Authentik
https://notcve.org/view.php?id=CVE-2024-23647
30 Jan 2024 — Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker... • https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a • CWE-287: Improper Authentication •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21637 – XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
https://notcve.org/view.php?id=CVE-2024-21637
11 Jan 2024 — Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6. Authentik es un proveedor de identidades de código abierto. • https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48228 – OAuth2: PKCE can be fully circumvented
https://notcve.org/view.php?id=CVE-2023-48228
21 Nov 2023 — authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow wa... • https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225 • CWE-287: Improper Authentication •