Markrassamni

**Name of the Vulnerable Software and Affected Versions** goauthentik versions prior to 2023.5.6 goauthentik versions prior to 2023.6.2 **Description** The issue affects goauthentik, an open-source Identity Provider, where an attacker can determine if a username exists using a recovery flow with an identification stage. This impacts only setups configured with a recovery flow, making users susceptible to having their username or email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration, this can be done by username, email, or both. **Recommendations** For versions prior to 2023.5.6, upgrade to version 2023.5.6 or later. For versions prior to 2023.6.2, upgrade to version 2023.6.2 or later. As a temporary workaround, consider restricting access to the recovery flow to minimize the risk of exploitation.