Insufficient verification of data authenticity in authentik - CVE-2023-26481
Published: March 2, 2023 / Updated: April 23, 2026
Vulnerability identifier: #VU127144
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-26481
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
authentik
authentik
Software vendor:
Authentik Security Inc
Authentik Security Inc
Description
The vulnerability allows a remote user to set the password for an arbitrary user account.
The vulnerability exists due to insufficient verification of data authenticity in the FlowTokens by Email stage when processing an admin-created recovery flow link. A remote privileged user can use a crafted or received recovery URL to set the password for an arbitrary user account.
Exploitation is only possible if a recovery flow exists with both an Identification stage and an Email stage bound to it, and an administrator must create or send the recovery link.
Remediation
Install security update from vendor's website.