SB2023030260 - Insufficient verification of data authenticity in authentik

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2023-26481)

The vulnerability allows a remote user to set the password for an arbitrary user account.

The vulnerability exists due to insufficient verification of data authenticity in the FlowTokens by Email stage when processing an admin-created recovery flow link. A remote privileged user can use a crafted or received recovery URL to set the password for an arbitrary user account.

Exploitation is only possible if a recovery flow exists with both an Identification stage and an Email stage bound to it, and an administrator must create or send the recovery link.

Remediation

Install update from vendor's website.

References

• https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3
• https://github.com/advisories/GHSA-3xf5-pqvf-rqq3