Information Exposure in Authentik Open-Source Identity Provider
CVE-2026-40166

7.1HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
22 May 2026

What is CVE-2026-40166?

In the Authentik open-source identity provider, a flaw exists that allows authenticated non-admin users, possessing at least one OAuth2 access token, to access the client_secret of confidential OAuth2 providers. This vulnerability is associated with the logic in the API endpoint GET /api/v3/oauth2/access_tokens/, where the API response erroneously includes sensitive information such as client_id and client_secret for certain privileged providers. This access should be restricted to higher-privilege users only. The issue has been rectified in the Authentik versions 2025.12.5 and 2026.2.3, preventing unauthorized access to confidential credentials.

Affected Version(s)

authentik < 2025.12.5 < 2025.12.5

authentik >= 2026.2.0-rc1, < 2026.2.3 < 2026.2.0-rc1, 2026.2.3

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.