Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Unauthorized Access to authentik Applications via OAuth2 Device Code Flow
BIT-authentik-2024-38371
CVE-2024-38371
GHSA-jq3m-37m7-gp45
Summary
Using the OAuth2 Device code flow in authentik, an attacker could access authorized applications without the correct permissions. This is a security risk for businesses that rely on authentik as their Identity Provider. To fix this, update to version 2024.6.0, 2024.2.4, or 2024.4.3 or later.
What to do
- Update authentik to version 2024.6.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | authentik |
< 2024.6.0 Fix: upgrade to 2024.6.0
|
Original title
Insufficient access control for OAuth2 Device Code flow in authentik
Original description
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 URL
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3 URL
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0 URL
- https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-38371 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026