Skip to main content

Authentik CVE-2026-40166

Information Exposure (CWE-200)
2026-05-22 GitHub_M

Lifecycle Timeline

1
CVE Published
May 22, 2026 - 18:52 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

Analysis

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

CVE-2023-48228 CRITICAL POC
9.8 Nov 21

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-23555 HIGH POC
8.8 Dec 28

authentik is an open-source Identity Provider focused on flexibility and versatility. Rated high severity (CVSS 8.8), th

CVE-2022-46172 MEDIUM POC
6.4 Dec 28

authentik is an open-source Identity provider focused on flexibility and versatility. Rated medium severity (CVSS 6.4),

CVE-2026-49448 CRITICAL
9.8 Jun 02

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote

CVE-2024-38371 CRITICAL
9.8 Jun 28

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2023-46249 CRITICAL
9.8 Oct 31

authentik is an open-source Identity Provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-46145 CRITICAL
9.8 Dec 02

authentik is an open-source identity provider. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2025-52553 CRITICAL
9.6 Jun 27

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi

CVE-2026-42849 CRITICAL
9.3 Jun 02

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to

CVE-2026-25227 CRITICAL
9.1 Feb 12

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions

CVE-2024-47070 CRITICAL
9.0 Sep 27

authentik is an open-source identity provider. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploi

CVE-2026-49443 HIGH
8.8 Jun 02

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-pr

Share

CVE-2026-40166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy