CVE-2023-26481

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2022.12.2 authentik versions prior to 2023.1.3 authentik versions prior to 2023.2.3

Description The issue arises from an insufficient access check in the recovery flow, allowing a created recovery link to be used for setting the password of any arbitrary user. This is possible if a recovery flow with both an Identification and an Email stage exists. The attack requires an administrator to create or send a recovery link to the attacker, who can then exploit the improper token validation to change passwords. Custom recovery flows are recommended to include a policy that skips the identification stage when the flow is restored, by checking request.context['is restored'].

Recommendations For versions prior to 2022.12.2, update to version 2022.12.2 or later. For versions prior to 2023.1.3, update to version 2023.1.3 or later. For versions prior to 2023.2.3, update to version 2023.2.3 or later. As a temporary workaround, consider adding a policy to custom recovery flows that checks if the flow is restored and skips the identification stage by verifying request.context['is restored'].