PT-2026-42826 · Authentik · Authentik

Published

2026-05-22

·

Updated

2026-06-01

·

CVE-2026-40166

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions 2026.2.0-rc1 through 2026.2.2
Description Authenticated non-admin users possessing at least one OAuth2 access token can retrieve the client secret of confidential OAuth2 providers they have previously used for authentication. This occurs via the 'GET /api/v3/oauth2/access tokens/' endpoint, where the API response includes a nested provider object containing the client id and client secret for providers configured with client type: confidential. This exposes sensitive information to users lacking the necessary permissions.
Recommendations Update to version 2025.12.5 Update to version 2026.2.3

Exploit

Fix

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-AUTHENTIK-2026-40166
CVE-2026-40166
GHSA-HHPC-RQGM-PXJ4

Affected Products

Authentik