Every CVE whose affected-product data names Goauthentik Authentik, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (33)
CVE-2026-49448 — CVSS 9.8 (critical): authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by…
CVE-2024-52289 — CVSS 9.8 (critical): authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no…
CVE-2023-46249 — CVSS 9.6 (critical): authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it…
CVE-2025-52553 — CVSS 9.6 (critical): authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a…
CVE-2022-23555 — CVSS 9.4 (critical): authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are…
CVE-2026-42849 — CVSS 9.3 (critical): authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE…
CVE-2023-26481 — CVSS 9.1 (critical): authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or…
CVE-2026-25227 — CVSS 9.1 (critical): authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated…
CVE-2024-47070 — CVSS 9.0 (critical): authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing…
CVE-2026-49443 — CVSS 8.8 (high): authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change…
CVE-2026-25922 — CVSS 8.8 (high): authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option…
CVE-2024-37905 — CVSS 8.8 (high): authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be…
CVE-2024-38371 — CVSS 8.6 (high): authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device…
CVE-2026-25748 — CVSS 8.6 (high): authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass…
CVE-2026-47201 — CVSS 8.5 (high): authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is…
CVE-2023-36456 — CVSS 8.3 (high): authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the…
CVE-2022-46145 — CVSS 8.1 (high): authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and…
CVE-2025-29928 — CVSS 8.0 (high): authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database…
CVE-2024-21637 — CVSS 7.6 (high): Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via…
CVE-2023-48228 — CVSS 7.5 (high): authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting…
CVE-2026-41577 — CVSS 7.5 (high): authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor…
CVE-2024-42490 — CVSS 7.5 (high): authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization…
CVE-2025-53942 — CVSS 7.4 (high): authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In…
CVE-2024-52287 — CVSS 7.2 (high): authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an…
CVE-2024-47077 — CVSS 6.5 (medium): authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be…
CVE-2024-23647 — CVSS 6.5 (medium): Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the…
CVE-2022-46172 — CVSS 6.4 (medium): authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any…
CVE-2026-41569 — CVSS 6.1 (medium): authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply…
CVE-2025-64708 — CVSS 5.8 (medium): authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were…
CVE-2024-52307 — CVSS 5.6 (medium): authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was…
CVE-2023-39522 — CVSS 5.3 (medium): goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is…
CVE-2024-11623 — CVSS 4.8 (medium): Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action…
CVE-2025-64521 — CVSS 4.8 (medium): authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and…