Vulnerabilidades em goauthentik
36 resultadosCVE-2024-47077MEDIUMauthentik cross-provider token validation problemsEPSS 0.4%CVE-2026-40165HIGHauthentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier TruncationEPSS 0.4%CVE-2026-40172HIGHauthentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuserEPSS 0.4%CVE-2026-49448CRITICALauthentik: SourceStage bypass via empty POSTEPSS 0.4%CVE-2025-29928HIGHauthentik's deletion of sessions did not revoke sessions when using database session storageEPSS 0.3%CVE-2026-40166HIGHauthentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/EPSS 0.3%CVE-2026-42849CRITICALauthentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeoverEPSS 0.3%CVE-2026-49443HIGHauthentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the APIEPSS 0.3%CVE-2023-26481CRITICALInsufficient user check in FlowTokens by Email stageEPSS 0.3%CVE-2024-11623MEDIUMStored XSS in authentikEPSS 0.3%CVE-2025-64708MEDIUMauthentik invitation expiry is delayed by at least 5 minutesEPSS 0.2%CVE-2025-64521MEDIUMauthentik deactivated service accounts can authenticate to OAuthEPSS 0.2%CVE-2026-41569MEDIUMauthentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to attacker-controlled endpointsEPSS 0.2%CVE-2026-41577MEDIUMauthentik: SAML source does not validate Conditions, timing, or audience on assertionsEPSS 0.2%CVE-2026-25922HIGHauthentik has a Signature Verification Bypass via SAML Assertion WrappingEPSS 0.2%CVE-2026-47201HIGHauthentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated userEPSS 0.2%