CVE-2023-48228

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2023.8.5 authentik versions prior to 2023.10.4

Description The issue concerns the implementation of the Proof Key for Code Exchange (PKCE) in authentik, an open-source identity provider. When initializing an OAuth2 flow with a code challenge and code method, authentik must check for a matching and existing code verifier during the token step. However, prior to the specified fixed versions, authentik only checks the contents of code verifier when it is provided. If code verifier is left out, authentik accepts the token request without it, even when the flow started with a code challenge.

Recommendations For versions prior to 2023.8.5, update to version 2023.8.5 or later. For versions prior to 2023.10.4, update to version 2023.10.4 or later.