CVE-2024-47070

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.8.3 authentik versions prior to 2024.6.5

Description A vulnerability in authentik, an open-source identity provider, allows bypassing password login by adding an X-Forwarded-For header with an unparsable IP address, such as a. This results in the possibility of logging into any account with a known login or email address. The issue occurs due to a policy bound to the password stage that skips the password stage if the Identification stage is set up to also contain a password stage. The default blueprint does not correctly set failure result to True on the policy binding, meaning that due to this exception, the policy returns false and the password stage is skipped.

Recommendations For versions prior to 2024.8.3, update to version 2024.8.3 or later to fix the issue. For versions prior to 2024.6.5, update to version 2024.6.5 or later to fix the issue. As a temporary workaround, consider disabling the use of the X-Forwarded-For header or restricting access to the authentik instance to minimize the risk of exploitation.