CVE-2026-40166

Source
https://cve.org/CVERecord?id=CVE-2026-40166
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40166.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40166
Aliases
Published
2026-05-22T18:52:46.650Z
Modified
2026-07-08T08:26:30.016195630Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
Details

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the clientsecret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/accesstokens/. The API response includes a nested provider object containing clientid and clientsecret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40166.json"
}
References

Affected packages

Git / github.com/goauthentik/authentik

Affected ranges

Type
GIT
Repo
https://github.com/goauthentik/authentik
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2026.2.0-rc1"
        },
        {
            "fixed": "2026.2.2"
        }
    ],
    "source": "DESCRIPTION"
}

Affected versions

version/2026.*
version/2026.2.0
version/2026.2.0-rc1
version/2026.2.0-rc2
version/2026.2.0-rc3
version/2026.2.0-rc4
version/2026.2.0-rc5
version/2026.2.1
version/2026.2.1-rc1
version/2026.2.2-rc1
version/2026.2.2-rc2
version/2026.2.2-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40166.json"