Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Authentik OpenID Connect Can Be Tricked into Running Malicious Code
BIT-authentik-2024-21637
CVE-2024-21637
GHSA-rjpr-7w8c-gv3j
Summary
Authentik's Identity Provider software has a security weakness that could let attackers trick users into running malicious code. This could lead to unauthorized access to sensitive information or actions. Update to version 2023.10.6 or 2023.8.6 to fix this issue.
What to do
- Update authentik to version 2023.10.6.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | authentik |
>= 2023.10.0, < 2023.10.6 Fix: upgrade to 2023.10.6
|
Original title
XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
Original description
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6.
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026