PT-2024-27821 · Authentik · Authentik
M2A2
·
Published
2024-06-28
·
Updated
2026-04-16
·
CVE-2024-37905
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
authentik versions prior to 2024.2.4
authentik versions prior to 2024.4.2
authentik versions prior to 2024.4.3
authentik versions prior to 2024.6.0
Description
The authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the authentik application, including resetting user passwords and more.
Recommendations
For versions prior to 2024.2.4, update to version 2024.2.4 or later.
For versions prior to 2024.4.2, update to version 2024.4.2 or later.
For versions prior to 2024.4.3, update to version 2024.4.3 or later.
For versions prior to 2024.6.0, update to version 2024.6.0 or later.
Exploit
Fix
Improper Access Control
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Authentik