Auth bypass in Goauthentik Authentik
CVE-2026-40166
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 prov…
Vulnerability class: Information Disclosure
EPSS: 0.000 (1.5th percentile) — read the EPSS interpretation.
Affected products
- Goauthentik Authentik — versions < 2025.12.5, >= 2026.2.0-rc1, < 2026.2.3
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)