BIT-authentik-2026-40166

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-40166.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-authentik-2026-40166

Aliases

CVE-2026-40166

Published

2026-06-01T11:37:27.605Z

Modified

2026-06-01T14:30:04.601794867Z

Summary

authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/

Details

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the clientsecret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/accesstokens/. The API response includes a nested provider object containing clientid and clientsecret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

Database specific

{
    "cpes": [
        "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / authentik

Package

Name: authentik
Purl: pkg:bitnami/authentik

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.12.5

Introduced

2026.2.0

Fixed

2026.2.3

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2026-40166.json"