Auth bypass in Goauthentik Authentik
CVE-2023-46249
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any aut…
Vulnerability class: Broken Authentication
EPSS: 0.007 (72.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.7 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Affected products
- Goauthentik Authentik — versions < 2023.8.4, >= 2023.10.0, < 2023.10.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w (x_refsource_CONFIRM)
- https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0 (x_refsource_MISC)
- https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc (x_refsource_MISC)
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2 (x_refsource_MISC)
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2023-46249?
- CVE-2023-46249 is a critical-severity vulnerability in Goauthentik Authentik, classified under Improper Authentication. CVSS score: 9.7/10. Published 2023-10-31.
- How severe is CVE-2023-46249?
- Critical severity. CVSS v3 base score is 9.7 out of 10.
- Is CVE-2023-46249 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.