Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

goauthentik — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting goauthentik. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by goauthentik:authentik
CVE IDTitleCVSSSeverityPublished
CVE-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping — authentikCWE-287 8.8 High2026-02-12
CVE-2026-25748 authentik has a forward authentication bypass with broken cookie — authentikCWE-287 8.6 High2026-02-12
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint — authentikCWE-94 9.1 Critical2026-02-12
CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes — authentikCWE-613 5.8 Medium2025-11-19
CVE-2025-64521 authentik deactivated service accounts can authenticate to OAuth — authentikCWE-289 4.8 Medium2025-11-19
CVE-2025-53942 authentik has an insufficient check for account active status during OAuth/SAML authentication — authentikCWE-269 7.0 -2025-07-23
CVE-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access — authentikCWE-287 9.1AICriticalAI2025-06-27
CVE-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage — authentikCWE-384 8.0 High2025-03-28
CVE-2024-11623 Stored XSS in authentik — authentikCWE-79 4.8 -2025-02-04
CVE-2024-52287 authentik performs insufficient validation of OAuth scopes — authentikCWE-285 7.5AIHighAI2024-11-21
CVE-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs — authentikCWE-185 6.1AIMediumAI2024-11-21
CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view — authentikCWE-208 9.1AICriticalAI2024-11-21
CVE-2024-47077 authentik cross-provider token validation problems — authentikCWE-863 6.5 Medium2024-09-27
CVE-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header — authentikCWE-287 9.1 Critical2024-09-27
CVE-2024-42490 authentik has Insufficient Authorization for several API endpoints — authentikCWE-285 7.5 High2024-08-22
CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik — authentikCWE-284 8.6 High2024-06-28
CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik — authentikCWE-284 8.8 High2024-06-28
CVE-2024-23647 PKCE downgrade attack in Authentik — authentikCWE-287 6.5 Medium2024-01-30
CVE-2024-21637 XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode — authentikCWE-79 7.7 High2024-01-11
CVE-2023-48228 OAuth2: PKCE can be fully circumvented — authentikCWE-287 7.5 High2023-11-21
CVE-2023-46249 authentik potential installation takeover when default admin user is deleted — authentikCWE-287 9.7 Critical2023-10-31
CVE-2023-39522 Username enumeration attack in goauthentik — authentikCWE-203 5.3 Medium2023-08-29
CVE-2023-36456 Authentik lacks Proxy IP headers validation — authentikCWE-436 8.3 High2023-07-06
CVE-2023-26481 Insufficient user check in FlowTokens by Email stage — authentikCWE-345 9.1 Critical2023-03-04
CVE-2022-46172 authentik allows existing authenticated users to create arbitrary accounts — authentikCWE-269 6.4 Medium2022-12-28
CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse — authentikCWE-287 9.4 Critical2022-12-28
CVE-2022-46145 authentik vulnerable to unauthorized user creation and potential account takeover — authentikCWE-287 8.1 High2022-12-02

This page lists every published CVE security advisory associated with goauthentik. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.