Main Vulnerability Database Vulnerabilities #VU132753

Improper access control in authentik - #VU132753

Published: May 29, 2026

Vulnerability identifier: #VU132753

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Authentik Security Inc

Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote user to authenticate as another user and gain that user's privileges.

The vulnerability exists due to improper access control in UserSourceConnectionSerializer and GroupSourceConnectionSerializer when handling API requests that modify source connection objects. A remote user can modify the user or group fields in a source connection to authenticate as a victim account and gain that user's privileges.

Exploitation requires the ability to change a source connection object and access to an account in one of the configured sources.

Remediation

Install security update from vendor's website.

Sources

https://github.com/goauthentik/authentik/security/advisories/GHSA-wr38-7xg8-fqxr

Improper access control in authentik - #VU132753

Detailed vulnerability description

Remediation

Sources

Please verify you're human