Improper access control in authentik - CVE-2023-46249

 

Improper access control in authentik - CVE-2023-46249

Published: October 28, 2023 / Updated: April 23, 2026


Vulnerability identifier: #VU127141
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-46249
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to take over the installation.

The vulnerability exists due to improper access control in the initial-setup flow when the default admin user has been deleted. A remote attacker can set the password of the default admin user without authentication to take over the installation.

The issue becomes exploitable after the default admin user has been deleted, which causes the initial-setup flow to become available again.


How to mitigate CVE-2023-46249

Install security update from vendor's website.

Sources