Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
goauthentik authentik vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-23647
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an malicious user to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the...
Goauthentik Authentik
NA
CVE-2024-21637
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escal...
Goauthentik Authentik
NA
CVE-2023-48228
authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to ...
Goauthentik Authentik
NA
CVE-2023-46249
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an malicious user to set the password of the default admin user without any authentication. authentik uses a bluep...
Goauthentik Authentik
NA
CVE-2023-39522
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system...
Goauthentik Authentik
NA
CVE-2023-36456
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without ...
Goauthentik Authentik
NA
CVE-2023-26481
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, whi...
Goauthentik Authentik
NA
CVE-2022-46172
authentik is an open-source Identity provider focused on flexibility and versatility. In versions before 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it...
Goauthentik Authentik
NA
CVE-2022-23555
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions before 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than i...
Goauthentik Authentik
NA
CVE-2022-46145
authentik is an open-source identity provider. Versions before 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for...
Goauthentik Authentik
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33572
CVE-2024-24919
CVE-2024-0230
CVE-2024-32714
HTML injection
local file inclusion
CVE-2024-31098
CVE-2024-31244
privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started