Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.0
Authentik: Bypassing Password Login with Malformed IP Address
CVE-2024-47070
BIT-authentik-2024-47070
Summary
Versions of Authentik prior to 2024.8.3 and 2024.6.5 allow hackers to log in to any account with a known login or email address by sending a specific, malformed header. This is a significant security risk, but it's limited to situations where the Authentik instance trusts the header. To fix this, update to version 2024.8.3 or 2024.6.5.
What to do
- Update authentik to version 2024.8.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | goauthentik | authentik |
< 2024.6.5 >= 2024.8.0, < 2024.8.3 cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* |
| Bitnami | – | authentik |
>= 2024.8.0, < 2024.8.3 Fix: upgrade to 2024.8.3
|
Original title
authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header
Original description
authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.
nvd CVSS3.1
9.0
Vulnerability type
CWE-287
Improper Authentication
- https://github.com/goauthentik/authentik/commit/dd8f809161e738b25765797eb2a5c77a... Patch
- https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7 Vendor Advisory
- https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7... Patch
- https://nvd.nist.gov/vuln/detail/CVE-2024-47070 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 7 Mar 2026