Missing Authorization in authentik - #VU138386

 

Missing Authorization in authentik - #VU138386

Published: July 17, 2026


Vulnerability identifier: #VU138386
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote user to modify or disable security event streams, delete streams, and cause a denial of service.

The vulnerability exists due to missing authorization in Shared Signals Framework stream management operations when handling requests for existing streams. A remote user can send requests to read, change, disable, or delete an application's event streams to modify or disable security event streams, delete streams, and cause a denial of service.

This affects only Enterprise deployments that use the Shared Signals Framework, where a provider is linked to an application as its backchannel provider and that application also issues access tokens to its users. On 2026.2, only stream deletion is reachable, while on 2026.5 the read, update, verify, and status operations are reachable.


Remediation

Install security update from vendor's website.

Sources