Main Vulnerability Database Vulnerabilities #VU131250

Incorrect authorization in authentik - CVE-2026-40166

Published: May 12, 2026

Vulnerability identifier: #VU131250

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40166

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Authentik Security Inc

Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/v3/oauth2/access_tokens/ endpoint when handling authenticated GET requests for OAuth2 access tokens. A remote user can retrieve an access token object containing a nested provider object with client_secret values to disclose sensitive information.

Exposure is limited to confidential OAuth2 providers the user has previously authenticated against and for which the user has at least one access token.

How to mitigate CVE-2026-40166

Install security update from vendor's website.

Sources

https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4

Incorrect authorization in authentik - CVE-2026-40166

Detailed vulnerability description

How to mitigate CVE-2026-40166

Sources

Please verify you're human