Insufficient user check in FlowTokens by Email stage
CVE-2023-26481

9.1CRITICAL

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 4 March 2023

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2023-26481?

Authentik, an open-source Identity Provider, is affected by a vulnerability that stems from insufficient access checks during the password recovery flow. An attacker can exploit this flaw if a recovery flow has been established by an administrator and if it includes both an Identification and an Email stage. With this setup, the attacker can reset passwords for any user by leveraging incorrectly validated recovery tokens, provided they have access to the recovery link. To mitigate risks, it is crucial to implement policies that verify the integrity of the flow, especially for custom paths. Vulnerable versions are fixed in 2023.2.3, 2023.1.3, and 2022.12.2.

Affected Version(s)

authentik < 2023.2.3 < 2023.2.3

authentik < 2023.1.3 < 2023.1.3

authentik < 2022.12.2 < 2022.12.2

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

https://goauthentik.io/docs/releases/2023.2#fixed-in-202323

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2023
Vulnerability Reserved
Feb 23, 2023