Home/Product/goauthentik authentik
Product

goauthentik authentik

27 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-25922
< 2025.8.6
authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the
8.8HIGH
 CVE-2026-25748
< 2025.10.4
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass
8.6HIGH
 CVE-2026-25227
>= 2021.3.1 and < 2025.8.6
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated pe
9.1CRITICAL
 CVE-2025-64708
>= 2025.8.0 and < 2025.8.5
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitatio
5.8MEDIUM
 CVE-2025-64521
>= 2025.8.0 and < 2025.8.5
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and cl
4.8MEDIUM
 CVE-2025-53942
< 2025.4.4
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocol
7.4HIGH
 CVE-2025-52553
< 2025.4.3
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used
9.6CRITICAL
 CVE-2025-29928
< 2024.12.4
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the
8.0HIGH
 CVE-2024-11623
< 2024.10.4
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. T
4.8MEDIUM
 CVE-2024-52307
< 2024.8.5
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it
5.6MEDIUM
 CVE-2024-52289
< 2024.8.5
authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
9.8CRITICAL
 CVE-2024-52287
< 2024.8.5
authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for
7.2HIGH
 CVE-2024-47077
< 2024.6.5
authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application ca
6.5MEDIUM
 CVE-2024-47070
< 2024.6.5
authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypas
9.0CRITICAL
 CVE-2024-42490
< 2024.4.4
authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/autho
7.5HIGH
 CVE-2024-38371
< 2024.2.4
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAut
8.6HIGH
 CVE-2024-37905
< 2024.2.4
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism ca
8.8HIGH
 CVE-2024-23647
< 2023.8.7
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent
6.5MEDIUM
 CVE-2024-21637
>= 2023.8.0 and < 2023.8.6
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via Jav
7.6HIGH
 CVE-2023-48228
< 2023.8.5
authentik is an open-source identity provider. When initialising a oauth2 flow with a code_challenge and code_method (thus req
7.5HIGH
 CVE-2023-46249
< 2023.8.4
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been dele
9.6CRITICAL
 CVE-2023-39522
< 2023.5.6
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attack
5.3MEDIUM
 CVE-2023-36456
< 2023.4.3
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of th
8.3HIGH
 CVE-2023-26481
< 2022.12.3
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an adm
9.1CRITICAL
 CVE-2022-46172
>= 2022.10.0 and < 2022.10.4
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.
6.4MEDIUM
 CVE-2022-23555
< 2022.10.4
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 ar
9.4CRITICAL
 CVE-2022-46145
< 2022.10.2
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creat
8.1HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin