| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-25922 | authentik has a Signature Verification Bypass via SAML Assertion Wrapping | goauthentik | authentik | High | 8.8 | 2026-02-12 19:38:17 | Deep Dive |
| CVE-2026-25748 | authentik has a forward authentication bypass with broken cookie | goauthentik | authentik | High | 8.6 | 2026-02-12 19:36:46 | Deep Dive |
| CVE-2026-25227 | authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint | goauthentik | authentik | Critical | 9.1 | 2026-02-12 19:25:27 | Deep Dive |
| CVE-2025-64708 | authentik invitation expiry is delayed by at least 5 minutes | goauthentik | authentik | Medium | 5.8 | 2025-11-19 17:03:23 | Deep Dive |
| CVE-2025-64521 | authentik deactivated service accounts can authenticate to OAuth | goauthentik | authentik | Medium | 4.8 | 2025-11-19 17:03:20 | Deep Dive |
| CVE-2025-53942 | authentik has an insufficient check for account active status during OAuth/SAML authentication | goauthentik | authentik | 超危 | - | 2025-07-23 20:35:07 | Deep Dive |
| CVE-2025-52553 | authentik has Insufficient Session verification for Remote Access Control endpoint access | goauthentik | authentik | - | - | 2025-06-27 15:03:13 | Deep Dive |
| CVE-2025-29928 | authentik's deletion of sessions did not revoke sessions when using database session storage | goauthentik | authentik | High | 8.0 | 2025-03-28 14:42:40 | Deep Dive |
| CVE-2024-11623 | Stored XSS in authentik | goauthentik | authentik | 中危 | - | 2025-02-04 13:34:11 | Deep Dive |
| CVE-2024-52287 | authentik performs insufficient validation of OAuth scopes | goauthentik | authentik | - | - | 2024-11-21 17:23:41 | Deep Dive |
| CVE-2024-52289 | authentik has an insecure default configuration for OAuth2 Redirect URIs | goauthentik | authentik | - | - | 2024-11-21 17:18:41 | Deep Dive |
| CVE-2024-52307 | authentik allows a timing attack due to missing constant time comparison for metrics view | goauthentik | authentik | - | - | 2024-11-21 17:14:52 | Deep Dive |
| CVE-2024-47077 | authentik cross-provider token validation problems | goauthentik | authentik | Medium | 6.5 | 2024-09-27 15:26:21 | Deep Dive |
| CVE-2024-47070 | authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header | goauthentik | authentik | Critical | 9.0 | 2024-09-27 15:18:04 | Deep Dive |
| CVE-2024-42490 | authentik has Insufficient Authorization for several API endpoints | goauthentik | authentik | High | 7.5 | 2024-08-22 15:34:46 | Deep Dive |
| CVE-2024-38371 | Insufficient access control for OAuth2 Device Code flow in authentik | goauthentik | authentik | High | 8.6 | 2024-06-28 17:58:48 | Deep Dive |
| CVE-2024-37905 | Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik | goauthentik | authentik | High | 8.8 | 2024-06-28 17:09:24 | Deep Dive |
| CVE-2024-23647 | PKCE downgrade attack in Authentik | goauthentik | authentik | Medium | 6.5 | 2024-01-30 16:10:56 | Deep Dive |
| CVE-2024-21637 | XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode | goauthentik | authentik | High | 7.6 | 2024-01-11 05:49:44 | Deep Dive |
| CVE-2023-48228 | OAuth2: PKCE can be fully circumvented | goauthentik | authentik | High | 7.5 | 2023-11-21 20:48:33 | Deep Dive |