Description
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Published: 2026-05-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privilege‑misuse flaw in authentik allows any authenticated non‑admin user who owns at least one OAuth2 access token to read the client_secret of confidential OAuth providers. The /api/v3/oauth2/access_tokens/ endpoint returns a nested provider object that includes client_id and client_secret, exposing credentials that should be restricted to administrators. This disclosure can enable attackers to impersonate the OAuth client, generate token requests, or compromise downstream services that rely on the exposed secret.

Affected Systems

The vulnerability affects the open‑source identity‑provider software Authentik, maintained by goauthentik. Versions prior to 2025.12.5 and the 2026.2 series up to 2026.2.2 are impacted. The issue was addressed in 2025.12.5 and 2026.2.3 releases.

Risk and Exploitability

With a CVSS score of 7.1, the flaw presents a high‑severity breach of confidentiality and potential integrity concerns. The EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session and the possession of an OAuth2 access token, both conditions commonly satisfied within a normal user base. Attackers can abuse the disclosed client_secret to act as the OAuth client, potentially accessing protected resources or fabricating tokens.

Generated by OpenCVE AI on May 22, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authentik to version 2025.12.5 or later 2026.2.3, which removes the client_secret from the API response for non‑admin users.
  • If an immediate upgrade is not possible, restrict access to the /api/v3/oauth2/access_tokens/ endpoint so that only administrator accounts can query it.
  • Avoid granting OAuth access tokens to users who do not require them, and audit existing tokens to limit the potential impact of the disclosure.

Generated by OpenCVE AI on May 22, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Title authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
Weaknesses CWE-200
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T18:52:46.650Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40166

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:30:06Z

Weaknesses