Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

goauthentik — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting goauthentik. AI-powered Chinese analysis, POCs, and references for each vulnerability.

goauthentik functions as an open-source identity provider, primarily serving as a self-hosted solution for single sign-on and identity governance. Its architecture supports complex authentication workflows, making it a critical component in enterprise access management strategies. Security audits have identified twenty-seven recorded Common Vulnerabilities and Exposures, reflecting the inherent risks of maintaining a complex, feature-rich identity platform. Historically, the most prevalent vulnerability classes include cross-site scripting and privilege escalation flaws, often stemming from improper input validation or insufficient access controls within its web interface. While no catastrophic, widespread data breaches have been publicly attributed to these specific CVEs, the high volume of findings indicates a need for rigorous patch management. The software’s open-source nature allows for community-driven security reviews, yet the frequency of issues suggests that continuous integration testing and code review processes remain essential for maintaining system integrity against potential exploitation.

Top products by goauthentik: authentik
CVE IDTitleCVSSSeverityPublished
CVE-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping — authentikCWE-287 8.8 High2026-02-12
CVE-2026-25748 authentik has a forward authentication bypass with broken cookie — authentikCWE-287 8.6 High2026-02-12
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint — authentikCWE-94 9.1 Critical2026-02-12
CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes — authentikCWE-613 5.8 Medium2025-11-19
CVE-2025-64521 authentik deactivated service accounts can authenticate to OAuth — authentikCWE-289 4.8 Medium2025-11-19
CVE-2025-53942 authentik has an insufficient check for account active status during OAuth/SAML authentication — authentikCWE-269 7.0 -2025-07-23
CVE-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access — authentikCWE-287 9.1AICriticalAI2025-06-27
CVE-2025-29928 authentik's deletion of sessions did not revoke sessions when using database session storage — authentikCWE-384 8.0 High2025-03-28
CVE-2024-11623 Stored XSS in authentik — authentikCWE-79 4.8 -2025-02-04
CVE-2024-52287 authentik performs insufficient validation of OAuth scopes — authentikCWE-285 7.5AIHighAI2024-11-21
CVE-2024-52289 authentik has an insecure default configuration for OAuth2 Redirect URIs — authentikCWE-185 6.1AIMediumAI2024-11-21
CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view — authentikCWE-208 9.1AICriticalAI2024-11-21
CVE-2024-47077 authentik cross-provider token validation problems — authentikCWE-863 6.5 Medium2024-09-27
CVE-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header — authentikCWE-287 9.1 Critical2024-09-27
CVE-2024-42490 authentik has Insufficient Authorization for several API endpoints — authentikCWE-285 7.5 High2024-08-22
CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik — authentikCWE-284 8.6 High2024-06-28
CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik — authentikCWE-284 8.8 High2024-06-28
CVE-2024-23647 PKCE downgrade attack in Authentik — authentikCWE-287 6.5 Medium2024-01-30
CVE-2024-21637 XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode — authentikCWE-79 7.7 High2024-01-11
CVE-2023-48228 OAuth2: PKCE can be fully circumvented — authentikCWE-287 7.5 High2023-11-21
CVE-2023-46249 authentik potential installation takeover when default admin user is deleted — authentikCWE-287 9.7 Critical2023-10-31
CVE-2023-39522 Username enumeration attack in goauthentik — authentikCWE-203 5.3 Medium2023-08-29
CVE-2023-36456 Authentik lacks Proxy IP headers validation — authentikCWE-436 8.3 High2023-07-06
CVE-2023-26481 Insufficient user check in FlowTokens by Email stage — authentikCWE-345 9.1 Critical2023-03-04
CVE-2022-46172 authentik allows existing authenticated users to create arbitrary accounts — authentikCWE-269 6.4 Medium2022-12-28
CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse — authentikCWE-287 9.4 Critical2022-12-28
CVE-2022-46145 authentik vulnerable to unauthorized user creation and potential account takeover — authentikCWE-287 8.1 High2022-12-02

This page lists every published CVE security advisory associated with goauthentik. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.