Authorization bypass through user-controlled key in authentik - CVE-2026-61574
Published: July 17, 2026
authentik
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in the RAC endpoint list endpoint when handling requests for configured endpoints. A remote user can request the endpoint list to disclose sensitive information.
Only deployments using the enterprise Remote Access Control provider are affected, and credential exposure occurs when connection credentials are stored for endpoints.