Main Vulnerability Database Vulnerabilities #VU127141

Improper access control in authentik - CVE-2023-46249

Published: October 28, 2023 / Updated: April 23, 2026

Vulnerability identifier: #VU127141

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-46249

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
authentik

Software vendor:
Authentik Security Inc

Description

The vulnerability allows a remote attacker to take over the installation.

The vulnerability exists due to improper access control in the initial-setup flow when the default admin user has been deleted. A remote attacker can set the password of the default admin user without authentication to take over the installation.

The issue becomes exploitable after the default admin user has been deleted, which causes the initial-setup flow to become available again.

Remediation

Install security update from vendor's website.

External links

https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w

Improper access control in authentik - CVE-2023-46249

Description

Remediation

External links

Please verify you're human