Pieterphilippaerts

**Name of the Vulnerable Software and Affected Versions** Authentik versions prior to 2023.8.7 Authentik versions prior to 2023.10.7 **Description** Authentik is an open-source Identity Provider with a bug in its implementation of PKCE, allowing an attacker to circumvent the protection that PKCE offers. PKCE adds the `code challenge` parameter to the authorization request and the `code verifier` parameter to the token request. Prior to versions 2023.8.7 and 2023.10.7, a downgrade scenario is possible if the attacker removes the `code challenge` parameter from the authorization request, allowing authentik to not perform the PKCE check. This bug enables an attacker to perform code injection attacks and CSRF attacks. **Recommendations** For versions prior to 2023.8.7, update to version 2023.8.7 or later. For versions prior to 2023.10.7, update to version 2023.10.7 or later. As a temporary workaround, consider restricting access to the authorization request endpoint to minimize the risk of exploitation. Avoid using the `code challenge` parameter in the authorization request until the issue is resolved.