Main Vulnerability Database Vulnerabilities #VU127139

#VU127139 Improper Authorization in authentik - CVE-2024-38371

Published: June 26, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127139

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-38371

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
authentik

Software vendor:
Authentik Security Inc

Description

The vulnerability allows a remote attacker to obtain OAuth tokens for an application and access the application.

The vulnerability exists due to improper authorization in the OAuth2 Device Code flow when processing device code authorization requests. A remote attacker can obtain tokens for an application without the correct authorization to obtain OAuth tokens for an application and access the application.

Remediation

Install security update from vendor's website.

External links

https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45

#VU127139 Improper Authorization in authentik - CVE-2024-38371

Description

Remediation

External links

Please verify you're human