pkg:Bitnami/authentik

All known vulnerabilities

• CRITICAL9.8CVE-2026-49448authentik: SourceStage bypass via empty POST
  from 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1
• CRITICAL9.8CVE-2024-38371Insufficient access control for OAuth2 Device Code flow in authentik
  from 0, < 2024.6.0
• CRITICAL9.8CVE-2023-48228OAuth2: PKCE can be fully circumvented
  from 0, < 2023.8.5, >= 2023.10.0, < 2023.10.4
• CRITICAL9.8authentik potential installation takeover when default admin user is deleted
  from 0, < 2023.8.4, >= 2023.10.0, < 2023.10.2
• CRITICAL9.8authentik vulnerable to unauthorized user creation and potential account takeover
  from 0, < 2022.10.2, >= 2022.11.0, < 2022.11.2
• CRITICAL9.3authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
  from 0, < 2025.12.5, >= 2026.0.0, < 2026.2.3
• CRITICAL9.0authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header
  from 0, < 2024.6.5, >= 2024.8.0, < 2024.8.3
• HIGH8.8authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
  from 0, < 2025.12.6, >= 2026.0.0, < 2026.2.4, >= 2026.3.0, < 2026.5.1
• HIGH8.8authentik has a Signature Verification Bypass via SAML Assertion Wrapping
  from 0, < 2025.8.6, >= 2025.10.0, < 2025.12.4
• HIGH8.8Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik
  from 0, < 2024.6.0
• HIGH8.8authentik vulnerable to Improper Authentication via invitation URL token reuse
  from 0, < 2022.10.4, >= 2022.11.0, < 2022.11.4
• HIGH8.7authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
  from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
• HIGH8.7authentik has Insufficient Authorization for several API endpoints
  from 0, < 2024.4.4, >= 2024.6.0, < 2024.6.4
• HIGH8.5authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user
  from 0, < 2026.5.1
• HIGH8.1authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser
  from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
• HIGH8.0authentik's deletion of sessions did not revoke sessions when using database session storage
  from 0, < 2024.12.4, >= 2025.0.0, < 2025.2.3
• HIGH7.5authentik has a forward authentication bypass with broken cookie
  >= 2025.10.0, < 2025.12.4
• HIGH7.3Authentik lacks Proxy IP headers validation
  from 0, < 2023.4.3, >= 2023.5.0, < 2023.5.5
• HIGH7.2authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint
  >= 2021.3.1, < 2025.8.6, >= 2025.10.0, < 2025.12.4
• MEDIUM6.5authentik cross-provider token validation problems
  from 0, < 2024.6.5, >= 2024.8.0, < 2024.8.3
• MEDIUM6.5Insufficient user check in FlowTokens by Email stage
  from 0, < 2022.12.3 | >= 2023.1.0, <= 2023.1.3, >= 2023.2.0, <= 2023.2.3
• MEDIUM6.5PKCE downgrade attack in Authentik
  from 0, < 2023.8.7, >= 2023.10.0, < 2023.10.7
• MEDIUM6.4authentik allows existing authenticated users to create arbitrary accounts
  >= 2022.10.0, < 2022.10.4, >= 2022.11.0, < 2022.11.4
• MEDIUM5.8authentik invitation expiry is delayed by at least 5 minutes
  from 0, < 0.0.0-20251119135424-6672e6aaa41e, >= 2000.0.0, < 2025.8.5, >= 2025.9.0, < 2025.10.2
• MEDIUM5.4XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
  >= 2023.8.0, < 2023.8.6, >= 2023.10.0, < 2023.10.6
• MEDIUM5.3Username enumeration attack in goauthentik
  from 0, < 2023.5.6, >= 2023.6.0, < 2023.6.2
• MEDIUM4.8authentik deactivated service accounts can authenticate to OAuth
  from 0, < 0.0.0-20251119140106-9dbdfc3f1be0, >= 2000.0.0, < 2025.8.5, >= 2025.9.0, < 2025.10.2
• —authentik: SAML source does not validate Conditions, timing, or audience on assertions
  from 0, < 2025.12.5, >= 2026.0.0, < 2026.2.3
• —authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpoints
  from 0, < 2026.2.3
• —authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
  from 0, < 2025.12.5, >= 2026.2.0, < 2026.2.3
• —authentik has Insufficient Session verification for Remote Access Control endpoint access
  from 0, < 2025.4.3, >= 2025.6.0, < 2025.6.3
• —authentik allows a timing attack due to missing constant time comparison for metrics view
  from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
• —authentik has an insecure default configuration for OAuth2 Redirect URIs
  from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
• —authentik performs insufficient validation of OAuth scopes
  from 0, < 2024.8.5, >= 2024.10.0, < 2024.10.3
• —Stored XSS in authentik
  from 0, < 2024.10.4
• —authentik has an insufficient check for account active status during OAuth/SAML authentication
  from 0, < 2025.4.4, >= 2025.6.0, < 2025.6.4