CVE Daily
← All tags

Tag: Authentik

All CVEs associated with "Authentik". Page 1/1 • 23 CVEs.

About “Authentik”

A curated feed of “Authentik”-related CVEs appears below. We currently track 23 CVEs for this tag (all time). In the last 365 days, 15 were published. Average CVSS is 8.1 (all time; 8.0 over 365d), and 78% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-287 - Improper Authentication, CWE-269 - Improper Privilege Management, CWE-20 - Improper Input Validation.

In our taxonomy this topic maps to a LOW impact class. Identity providers govern authentication across the estate. Upgrade, enforce phishing resistant MFA, review audit logs, rotate admin keys, and tighten policies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: authentik

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
2026.52026.5.2-
2026.22026.2.4-
2025.122025.12.6 Expired
2025.102025.10.4 Expired
2025.82025.8.6 Expired
2025.62025.6.4 Expired
2025.42025.4.4 Expired
2024.122024.12.5 Expired
2023.102023.10.7 Expired
2022.122022.12.3 Expired
2021.122021.12.5 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Authentik”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-06-02
Critical

CVE-2026-49448

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2026-49443

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2026-47201

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstre…

CVSS: 8.5 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2026-42849

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more comp…

CVSS: 9.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-41569

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper UR…

CVSS: 6.9 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2026-41577

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on ass…

CVSS: 6.9 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2026-05-29
Critical

CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0,…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2026-05-22
High

CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target us…

CVSS: 8.1 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2026-40166

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the c…

CVSS: 7.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-05-21
High

CVE-2026-40165

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Inject…

CVSS: 8.7 CWE: CWE-91 - XML Injection (aka Blind XPath Injection) View on NVD
2026-02-12
High

CVE-2026-25922

authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enab…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
2025-11-19
Medium

CVE-2025-64708

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus…

CVSS: 5.8 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account…

CVSS: 4.8 CWE: CWE-289 - Authentication Bypass by Alternate Name View on NVD
2025-07-23
High

CVE-2025-53942

authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1…

CVSS: 7.4 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-06-27
Critical

CVE-2025-52553

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This t…

CVSS: 9.6 CWE: CWE-287 - Improper Authentication View on NVD
2025-03-28
High

CVE-2025-29928

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleti…

CVSS: 8.0 CWE: CWE-384 - Session Fixation View on NVD
2024-11-21
Critical

CVE-2024-52289

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will au…

CVSS: 9.8 CWE: CWE-185 - Incorrect Regular Expression View on NVD
High

CVE-2024-52287

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't be…

CVSS: 7.2 CWE: CWE-285 - Improper Authorization View on NVD
2024-09-27
Medium

CVE-2024-47077

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user agai…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2024-47070

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsab…

CVSS: 9.0 CWE: CWE-287 - Improper Authentication View on NVD
2024-08-22
High

CVE-2024-42490

authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/…

CVSS: 7.5 CWE: CWE-285 - Improper Authorization View on NVD
2024-06-28
High

CVE-2024-38371

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the c…

CVSS: 8.6 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-37905

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox