CVE-2024-52287

moderate-risk

Published 2024-11-21

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.

Do I need to act?

0.24% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Authentik

Affected Vendors

Goauthentik

References (2)

Patch https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c32...

Vendor Advisory https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal