CVE Vulnerabilities - 16 April 2026

Name constraints for URI names were ignored and therefore accepted. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI nam...

Some versions of OpenClaw, a script tool, allowed a local attacker to tamper with a script file between the time it was checked for safety and the time it was read. This could cause the tool to analyz...

A flaw in the Ruby Zlib interface can cause data to be stored in an incorrect location, potentially leading to memory corruption. This issue affects users of the affected versions who decompress data ...

Using the OAuth2 Device code flow in authentik, an attacker could access authorized applications without the correct permissions. This is a security risk for businesses that rely on authentik as their...

A bug in the login system of authentik, an identity management tool, allows an attacker to gain full access to the system. This means they could potentially reset passwords, make changes, and access s...

Authentik's Identity Provider software has a security weakness that could let attackers trick users into running malicious code. This could lead to unauthorized access to sensitive information or acti...

An older version of Authentik, an identity provider, had a security weakness that allowed attackers to bypass a security check in its OAuth2 flow. This means that users who had previously used the old...

If the default admin user in Authentik is deleted, an attacker can change the admin password without a password. To fix this, ensure the default admin user 'akadmin' exists and has a strong, secure pa...

Authentik, an open-source Identity Provider, doesn't properly check IP address headers from users behind a reverse proxy. This can lead to fake IP addresses being logged, bypassing security checks, an...

If an attacker gets a password reset link from an admin, they can set any password for any user's account. To fix this, update to version 2023.2.3, 2023.1.3, or 2022.12.2 of authentik. Alternatively, ...

A flaw in older versions of authentik allows authenticated users to create new accounts without permission. This could lead to unauthorized access and compromised security. To fix this issue, update t...

Versions of authentik before 2022.11.2 and 2022.10.2 allow anyone to create new accounts without authentication. This could be used to take over admin accounts if email-verified password recovery is e...

Certain versions of Authentik's invitation system can be exploited if an attacker knows the different invitation flow names. This can lead to unauthorized access to accounts. To protect against this, ...