authentik

A security vulnerability in authentik's OAuth2 implementation allows attackers to bypass PKCE security checks by simply omitting the code_verifier parameter, even when the OAuth2 flow was initiated with a code_challenge.

A security vulnerability in Authentik software allows attackers to steal session tokens when OAuth2 providers are configured with wildcards (*) as allowed redirect URLs.

A vulnerability in authentik's OAuth2 implementation allows attackers to bypass important PKCE security protections by removing certain parameters from authorization requests, enabling code injection attacks.

A vulnerability in Authentik software allowed any logged-in user to grant themselves administrator privileges by manipulating API tokens and changing their user assignment.

A security flaw in Authentik software bypasses access restrictions in OAuth2 Device Code Flow, allowing unauthorized users to obtain OAuth tokens and access protected applications.

A vulnerability in authentik software allows users to access certain API endpoints without proper authentication or authorization, potentially exposing sensitive certificate data.

A vulnerability in authentik allows applications and users to steal access tokens and use them to gain unauthorized access to other applications they shouldn't be able to access.

A critical vulnerability in Authentik software allows attackers to bypass password authentication by sending a manipulated X-Forwarded-For HTTP header. This enables them to log into known user accounts without providing a password.

A vulnerability in Authentik software allowed attackers with valid OAuth credentials to obtain tokens with unconfigured permissions, which could then be misused for malicious actions in trusting systems.

A vulnerability in authentik's OAuth2 component allows attackers to bypass redirect URL validation by registering domains with similar names, potentially leading to unauthorized redirects.

A vulnerability in authentik software allows attackers to guess the secret key used for authenticating an internal endpoint through repeated attempts. With this key, attackers can manipulate existing cookies or create new ones.

A vulnerability in Authentik software causes deleted user sessions to not be properly revoked when using database storage, allowing users to maintain access even after session deletion.

A vulnerability in authentik allows unauthorized users to access remote access connections by copying URLs with valid tokens, as session validation is missing.

A security vulnerability in authentik allows deactivated users with OAuth/SAML connections to partially access the system and authorize applications despite their accounts being disabled.

In the authentik authentication software, deactivated service accounts for OAuth providers can still be used for login even though they should be blocked.

A vulnerability in the authentik authentication software allows users to use expired invitations because they are not immediately recognized as invalid.

A vulnerability in authentik allows attackers to bypass authentication by using malformed cookies when authentik is configured as a Proxy Provider with Traefik or Caddy reverse proxies.

A vulnerability in authentik allows users with certain view permissions to execute arbitrary code on the server and thereby gain complete control over the application.

A vulnerability in authentik allows attackers to authenticate as any existing user by injecting malicious SAML assertions before valid signed assertions when certain security settings are not properly configured.

A vulnerability in authentik software allows users with limited management permissions to elevate themselves or other users to administrators with full system privileges by bypassing security controls.

A vulnerability in authentik allows attackers to poison OAuth2 providers by permanently storing malicious redirect URLs before authentication occurs. This leads to authorization code interception and potential account takeover for all subsequent OAuth2 login flows using the affected provider.

A security flaw in authentik's SAML processing ignores time limits and audience restrictions in authentication tokens, allowing attackers to reuse expired tokens or tokens intended for other services.

A vulnerability in authentik allows authenticated non-admin users to retrieve secret OAuth2 client credentials from providers they previously authenticated against, potentially enabling unauthorized reuse of these confidential authentication credentials.

A vulnerability in authentik allows attackers to bypass nginx authentication by setting a specific HTTP header, enabling unauthorized access to protected applications without any login credentials.

A vulnerability in Authentik software allows attackers to gain access to other user accounts by manipulating SAML assertions through injecting XML comments into NameID values.

A vulnerability in authentik's WS-Federation provider allows attackers to redirect users to malicious websites where they can intercept valid login credentials that can be misused for identity impersonation.

A critical vulnerability in authentik's Simple Flow Executor allows cross-site scripting attacks, enabling attackers to hijack user sessions or redirect users to malicious sites.

A security flaw in authentik's SAML authentication allows attackers to impersonate other users by manipulating valid digital signatures and injecting forged identity data.

A vulnerability in authentik allows attackers with low privileges to log in as any user by manipulating connections between user accounts and external sources.

A critical security vulnerability in Authentik software allows attackers to bypass authentication stages by sending an empty POST request, enabling them to log in without providing valid credentials.

Release 2026-06-10

Release 2026-05-28

Release 2026-05-28

Release 2026-05-28

Current / stable

Release 2026-05-22

Release 2026-05-13

Release 2026-05-12

Release 2026-05-12

Release 2026-05-11

Release 2026-04-10

Release 2026-04-07

Release 2026-04-07

Release 2026-04-02

Release 2026-04-01

Release 2026-03-03

Release 2026-03-02

Current / stable

Release 2026-02-24

Release 2026-02-24

Release 2026-02-17

Release 2026-02-16

Release 2026-02-12

Release 2026-02-12

Release 2026-02-12

Release 2026-02-12

Release 2026-02-11

Release 2026-02-02

Release 2026-01-30

Release 2026-01-16

EOL 2026-05-22

Release 2026-01-13

Release 2026-01-06

Release 2025-12-17

EOL 2026-02-24

EOL 2026-01-13

EOL 2025-10-27

EOL 2025-08-20

EOL 2025-04-30

EOL 2024-04-24

EOL 2023-02-14

EOL 2022-02-16