Improper Authorization in authentik - CVE-2024-38371

 

Improper Authorization in authentik - CVE-2024-38371

Published: June 26, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU127139
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-38371
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain OAuth tokens for an application and access the application.

The vulnerability exists due to improper authorization in the OAuth2 Device Code flow when processing device code authorization requests. A remote attacker can obtain tokens for an application without the correct authorization to obtain OAuth tokens for an application and access the application.


How to mitigate CVE-2024-38371

Install security update from vendor's website.

Sources