Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Unauthorized access to github.com/goauthentik/authentik admin account
BIT-authentik-2024-37905
CVE-2024-37905
GHSA-c78c-2r9w-p7x4
Summary
A bug in the login system of authentik, an identity management tool, allows an attacker to gain full access to the system. This means they could potentially reset passwords, make changes, and access sensitive areas without permission. Update to version 2024.2.4, 2024.4.2, or 2024.6.0 to fix the issue.
What to do
- Update authentik to version 2024.6.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | authentik |
< 2024.6.0 Fix: upgrade to 2024.6.0
|
Original title
Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik
Original description
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 URL
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3 URL
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0 URL
- https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-37905 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026