PT-2026-42826 · Authentik · Authentik
Published
2026-05-22
·
Updated
2026-06-01
·
CVE-2026-40166
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
authentik versions prior to 2025.12.5
authentik versions 2026.2.0-rc1 through 2026.2.2
Description
Authenticated non-admin users possessing at least one OAuth2 access token can retrieve the
client secret of confidential OAuth2 providers they have previously used for authentication. This occurs via the 'GET /api/v3/oauth2/access tokens/' endpoint, where the API response includes a nested provider object containing the client id and client secret for providers configured with client type: confidential. This exposes sensitive information to users lacking the necessary permissions.Recommendations
Update to version 2025.12.5
Update to version 2026.2.3
Exploit
Fix
Information Disclosure
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Authentik