Skip to main content

Authentik CVE-2024-21637

HIGH
Cross-site Scripting (XSS) (CWE-79)
2024-01-11 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 19:34 vuln.today
Patch released
Mar 28, 2026 - 19:34 nvd
Patch available
CVE Published
Jan 11, 2024 - 06:15 nvd
HIGH 7.6

DescriptionGitHub Advisory

Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with response_mode=form_post. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6.

AnalysisAI

Authentik is an open-source Identity Provider. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with response_mode=form_post. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6. Affected products include: Goauthentik Authentik.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

Share

CVE-2024-21637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy