Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Authentik: Unauthorized Token Access with Client Credentials or Device Code
CVE-2024-52287
BIT-authentik-2024-52287
Summary
An attacker could obtain an access token with scopes not set up in Authentik. This means they might be able to access features or data they shouldn't have access to. Update to version 2024.8.5 or 2024.10.3 to fix this issue.
What to do
- Update authentik to version 2024.10.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | goauthentik | authentik |
< 2024.8.5 >= 2024.10.0, < 2024.10.3 cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* |
| Bitnami | – | authentik |
>= 2024.10.0, < 2024.10.3 Fix: upgrade to 2024.10.3
|
Original title
authentik performs insufficient validation of OAuth scopes
Original description
authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.
nvd CVSS3.1
7.2
nvd CVSS4.0
6.4
Vulnerability type
CWE-285
Improper Authorization
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 7 Mar 2026