pkg:Bitnami/authentik

30 total CVEsCRITICAL5HIGH10MEDIUM8

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2024-38371Insufficient access control for OAuth2 Device Code flow in authentik
    from 0, < 2024.6.0
  • CRITICAL9.8CVE-2023-48228OAuth2: PKCE can be fully circumvented
    from 0, < 2023.8.5, >= 2023.10.0, < 2023.10.4
  • CRITICAL9.8CVE-2023-46249authentik potential installation takeover when default admin user is deleted
    from 0, < 2023.8.4, >= 2023.10.0, < 2023.10.2
  • CRITICAL9.8CVE-2022-46145authentik vulnerable to unauthorized user creation and potential account takeover
    from 0, < 2022.10.2, >= 2022.11.0, < 2022.11.2
  • CRITICAL9.0CVE-2024-47070authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header
    from 0, < 2024.6.5, >= 2024.8.0, < 2024.8.3
  • HIGH8.8CVE-2026-25922authentik has a Signature Verification Bypass via SAML Assertion Wrapping
    from 0, < 2025.8.6, >= 2025.10.0, < 2025.12.4
  • HIGH8.8CVE-2024-37905Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik
    from 0, < 2024.6.0
  • HIGH8.8CVE-2022-23555authentik vulnerable to Improper Authentication via invitation URL token reuse
    from 0, < 2022.10.4, >= 2022.11.0, < 2022.11.4
  • HIGH8.7CVE-2026-40165authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
    from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
  • HIGH8.7CVE-2024-42490authentik has Insufficient Authorization for several API endpoints
    from 0, < 2024.4.4, >= 2024.6.0, < 2024.6.4
  • HIGH8.1CVE-2026-40172authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser
    from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
  • HIGH8.0CVE-2025-29928authentik's deletion of sessions did not revoke sessions when using database session storage
    from 0, < 2024.12.4, >= 2025.0.0, < 2025.2.3
  • HIGH7.5CVE-2026-25748authentik has a forward authentication bypass with broken cookie
    >= 2025.10.0, < 2025.12.4
  • HIGH7.3CVE-2023-36456Authentik lacks Proxy IP headers validation
    from 0, < 2023.4.3, >= 2023.5.0, < 2023.5.5
  • HIGH7.2CVE-2026-25227authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint
    >= 2021.3.1, < 2025.8.6, >= 2025.10.0, < 2025.12.4
  • MEDIUM6.5CVE-2024-47077authentik cross-provider token validation problems
    from 0, < 2024.6.5, >= 2024.8.0, < 2024.8.3
  • MEDIUM6.5CVE-2023-26481Insufficient user check in FlowTokens by Email stage
    from 0, < 2022.12.3 | >= 2023.1.0, <= 2023.1.3, >= 2023.2.0, <= 2023.2.3
  • MEDIUM6.5CVE-2024-23647PKCE downgrade attack in Authentik
    from 0, < 2023.8.7, >= 2023.10.0, < 2023.10.7
  • MEDIUM6.4CVE-2022-46172authentik allows existing authenticated users to create arbitrary accounts
    >= 2022.10.0, < 2022.10.4, >= 2022.11.0, < 2022.11.4
  • MEDIUM5.8CVE-2025-64708authentik invitation expiry is delayed by at least 5 minutes
    from 0, < 0.0.0-20251119135424-6672e6aaa41e, >= 2000.0.0, < 2025.8.5, >= 2025.9.0, < 2025.10.2
  • MEDIUM5.4CVE-2024-21637XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
    >= 2023.8.0, < 2023.8.6, >= 2023.10.0, < 2023.10.6
  • MEDIUM5.3CVE-2023-39522Username enumeration attack in goauthentik
    from 0, < 2023.5.6, >= 2023.6.0, < 2023.6.2
  • MEDIUM4.8CVE-2025-64521authentik deactivated service accounts can authenticate to OAuth
    from 0, < 0.0.0-20251119140106-9dbdfc3f1be0, >= 2000.0.0, < 2025.8.5, >= 2025.9.0, < 2025.10.2
  • CVE-2026-40166authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
    from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
  • CVE-2025-52553authentik has Insufficient Session verification for Remote Access Control endpoint access
    from 0, < 2025.4.3, >= 2025.6.0, < 2025.6.3
  • CVE-2024-52307authentik allows a timing attack due to missing constant time comparison for metrics view
    from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
  • CVE-2024-52289authentik has an insecure default configuration for OAuth2 Redirect URIs
    from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
  • CVE-2024-52287authentik performs insufficient validation of OAuth scopes
    from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
  • CVE-2024-11623Stored XSS in authentik
    from 0, < 2024.10.4
  • CVE-2025-53942authentik has an insufficient check for account active status during OAuth/SAML authentication
    from 0, < 2025.4.4, >= 2025.6.0, < 2025.6.4