CVE-2023-39522

Name of the Vulnerable Software and Affected Versions goauthentik versions prior to 2023.5.6 goauthentik versions prior to 2023.6.2

Description The issue affects goauthentik, an open-source Identity Provider, where an attacker can determine if a username exists using a recovery flow with an identification stage. This impacts only setups configured with a recovery flow, making users susceptible to having their username or email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration, this can be done by username, email, or both.

Recommendations For versions prior to 2023.5.6, upgrade to version 2023.5.6 or later. For versions prior to 2023.6.2, upgrade to version 2023.6.2 or later. As a temporary workaround, consider restricting access to the recovery flow to minimize the risk of exploitation.