Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

authentik — Vulnerabilities & Security Advisories 27

All 27 CVE vulnerabilities found in authentik, with AI-generated Chinese analysis, references, and POCs.

Vendor: goauthentik

CVE IDTitleCVSSSeverityPublished
CVE-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping CWE-287 8.8 High2026-02-12
CVE-2026-25748 authentik has a forward authentication bypass with broken cookie CWE-287 8.6 High2026-02-12
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint CWE-94 9.1 Critical2026-02-12
CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes CWE-613 5.8 Medium2025-11-19
CVE-2025-64521 authentik deactivated service accounts can authenticate to OAuth CWE-289 4.8 Medium2025-11-19
CVE-2025-53942 authentik has an insufficient check for account active status during OAuth/SAML authentication CWE-269 7.0 -2025-07-23
CVE-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access CWE-287 9.1AICriticalAI2025-06-27
CVE-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage CWE-384 8.0 High2025-03-28
CVE-2024-11623 Stored XSS in authentik CWE-79 4.8 -2025-02-04
CVE-2024-52287 authentik performs insufficient validation of OAuth scopes CWE-285 7.5AIHighAI2024-11-21
CVE-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs CWE-185 6.1AIMediumAI2024-11-21
CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view CWE-208 9.1AICriticalAI2024-11-21
CVE-2024-47077 authentik cross-provider token validation problems CWE-863 6.5 Medium2024-09-27
CVE-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header CWE-287 9.1 Critical2024-09-27
CVE-2024-42490 authentik has Insufficient Authorization for several API endpoints CWE-285 7.5 High2024-08-22
CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik CWE-284 8.6 High2024-06-28
CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik CWE-284 8.8 High2024-06-28
CVE-2024-23647 PKCE downgrade attack in Authentik CWE-287 6.5 Medium2024-01-30
CVE-2024-21637 XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode CWE-79 7.7 High2024-01-11
CVE-2023-48228 OAuth2: PKCE can be fully circumvented CWE-287 7.5 High2023-11-21
CVE-2023-46249 authentik potential installation takeover when default admin user is deleted CWE-287 9.7 Critical2023-10-31
CVE-2023-39522 Username enumeration attack in goauthentik CWE-203 5.3 Medium2023-08-29
CVE-2023-36456 Authentik lacks Proxy IP headers validation CWE-436 8.3 High2023-07-06
CVE-2023-26481 Insufficient user check in FlowTokens by Email stage CWE-345 9.1 Critical2023-03-04
CVE-2022-46172 authentik allows existing authenticated users to create arbitrary accounts CWE-269 6.4 Medium2022-12-28
CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse CWE-287 9.4 Critical2022-12-28
CVE-2022-46145 authentik vulnerable to unauthorized user creation and potential account takeover CWE-287 8.1 High2022-12-02

All 27 known CVE vulnerabilities affecting authentik with full Chinese analysis, references, and POCs where available.