Skip to main content

Authd

5 CVEs product

Monthly

CVE-2026-6970 Go HIGH POC PATCH GHSA This Week

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Privilege Escalation Denial Of Service Authd
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-5689 Go HIGH PATCH This Week

Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.

Privilege Escalation Linux SSH Authentication Bypass Authd +1
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-9312 Go MEDIUM POC PATCH This Month

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.

Information Disclosure Authd
NVD GitHub
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-9313 Go HIGH PATCH This Week

Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authd
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2016-4982 MEDIUM This Month

authd sets weak permissions for /etc/ident.key, which allows local users to obtain the key by leveraging a race condition between the creation of the key, and the chmod to protect it. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Information Disclosure Authd
NVD
CVSS 3.0
4.7
EPSS
0.1%
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Privilege Escalation Denial Of Service Authd
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.

Privilege Escalation Linux SSH +3
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.

Information Disclosure Authd
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authd
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM This Month

authd sets weak permissions for /etc/ident.key, which allows local users to obtain the key by leveraging a race condition between the creation of the key, and the chmod to protect it. Rated medium severity (CVSS 4.7). No vendor patch available.

Race Condition Information Disclosure Authd
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy