authentik: Access Tokens Can Be Stolen and Used to Impersonate Users

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

authentik: Access Tokens Can Be Stolen and Used to Impersonate Users

CVE-2024-47077 BIT-authentik-2024-47077

Summary

A security issue in older versions of authentik allows an application to steal access tokens and use them to pretend to be a user. This could let an app access resources it shouldn't. Update to version 2024.8.3 or 2024.6.5 to fix the issue.

What to do

Update authentik to version 2024.8.3.

Affected software

Ecosystem	Vendor	Product	Affected versions
–	goauthentik	authentik	< 2024.6.5 >= 2024.8.0, < 2024.8.3 `cpe:2.3:a:goauthentik:authentik::::::::`
Bitnami	–	authentik	>= 2024.8.0, < 2024.8.3 Fix: upgrade to 2024.8.3

Original title

authentik cross-provider token validation problems

Original description

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue.

nvd CVSS3.1 6.5

Vulnerability type

CWE-863 Incorrect Authorization

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 7 Mar 2026