Goauthentik Authentik
36 CVEs affecting Goauthentik Authentik. Latest disclosed: 2026-06-02. Critical: 7, High: 15.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-49448 | Critical | 9.8 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST… |
CVE-2023-46249 | Critical | 9.7 | 2023-10-31 | authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possib… |
CVE-2022-23555 | Critical | 9.4 | 2022-12-28 | authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Auth… |
CVE-2026-42849 | Critical | 9.3 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor)… |
CVE-2026-25227 | Critical | 9.1 | 2026-02-12 | authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has th… |
CVE-2024-47070 | Critical | 9.1 | 2024-09-27 | authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding… |
CVE-2023-26481 | Critical | 9.1 | 2023-03-04 | authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an a… |
CVE-2026-49443 | High | 8.8 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection… |
CVE-2026-25922 | High | 8.8 | 2026-02-12 | authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signa… |
CVE-2024-37905 | High | 8.8 | 2024-06-28 | authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin… |
CVE-2026-40165 | High | 8.7 | 2026-05-21 | authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypas… |
CVE-2026-25748 | High | 8.6 | 2026-02-12 | authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using fo… |
CVE-2024-38371 | High | 8.6 | 2024-06-28 | authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This cou… |
CVE-2026-47201 | High | 8.5 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML S… |
CVE-2023-36456 | High | 8.3 | 2023-07-06 | authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-… |
CVE-2026-40172 | High | 8.1 | 2026-05-22 | authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows… |
CVE-2022-46145 | High | 8.1 | 2022-12-02 | authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account tak… |
CVE-2025-29928 | High | 8.0 | 2025-03-28 | authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage… |
CVE-2024-21637 | High | 7.7 | 2024-01-11 | Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connec… |
CVE-2026-41577 | High | 7.5 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does no… |