CVE-2024-52307

CVE-2024-52307 is a medium-severity vulnerability in Goauthentik Authentik with a CVSS 3.x base score of 5.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.

Key facts

Description

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.

Frequently asked questions

What is CVE-2024-52307?
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.
How severe is CVE-2024-52307?
CVE-2024-52307 has a CVSS 3.x base score of 5.6, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
Is CVE-2024-52307 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (41st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-52307?
CVE-2024-52307 affects Goauthentik Authentik. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-52307?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-52307 have an EU (EUVD) identifier?
Yes. CVE-2024-52307 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-45992.
When was CVE-2024-52307 published?
CVE-2024-52307 was published on 2024-11-21 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Goauthentik Authentik

All CVEs affecting Goauthentik Authentik →

Other CWE-208 vulnerabilities

Browse all CWE-208 vulnerabilities →