Authentik OAuth2 flow can be bypassed without a code verifier

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Authentik OAuth2 flow can be bypassed without a code verifier

BIT-authentik-2023-48228 CVE-2023-48228 GHSA-fm34-v8xq-f2c3

Summary

An older version of Authentik, an identity provider, had a security weakness that allowed attackers to bypass a security check in its OAuth2 flow. This means that users who had previously used the older version of Authentik may be at risk. To fix this, update to the latest version of Authentik, specifically 2023.8.5 or 2023.10.4.

What to do

Update authentik to version 2023.10.4.

Affected software

Ecosystem	Vendor	Product	Affected versions
Bitnami	–	authentik	>= 2023.10.0, < 2023.10.4 Fix: upgrade to 2023.10.4

Original title

OAuth2: PKCE can be fully circumvented

Original description

authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026