Main Vulnerability Database SB2023102810

SB2023102810 - Improper access control in authentik

Published: October 28, 2023 Updated: April 23, 2026

Security Bulletin ID SB2023102810

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2023-46249)

The vulnerability allows a remote attacker to take over the installation.

The vulnerability exists due to improper access control in the initial-setup flow when the default admin user has been deleted. A remote attacker can set the password of the default admin user without authentication to take over the installation.

The issue becomes exploitable after the default admin user has been deleted, which causes the initial-setup flow to become available again.

Remediation

Install update from vendor's website.

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w