Platform
go
Component
authentik
Fixed in
2024.8.1
2024.6.6
CVE-2024-47070 describes an authentication bypass vulnerability affecting authentik versions 2024.6.0 through 2024.8.2. This flaw allows attackers to circumvent password login mechanisms by crafting a malicious X-Forwarded-For header, potentially granting unauthorized access to user accounts. A fix is available in version 2024.8.3.
The impact of CVE-2024-47070 is significant, as it enables unauthorized access to user accounts within the authentik identity provider. An attacker can bypass the standard password authentication process by injecting a specially crafted X-Forwarded-For header containing an invalid IP address (e.g., 'a'). This bypass is contingent on the authentik instance trusting the X-Forwarded-For header, which is typically only the case in environments behind a reverse proxy or load balancer. Successful exploitation could lead to data breaches, privilege escalation, and compromise of sensitive information managed by authentik.
CVE-2024-47070 was publicly disclosed on 2024-09-27. The vulnerability requires the authentik instance to trust the X-Forwarded-For header, limiting exploitation to environments behind a reverse proxy. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it a potential target for opportunistic attackers. The CVSS score of 9.1 (CRITICAL) reflects the severity of the vulnerability.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47070 is to upgrade authentik to version 2024.8.3 or later, which contains the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing stricter validation of the X-Forwarded-For header at the reverse proxy or load balancer level. This can involve whitelisting trusted IP addresses or rejecting requests with malformed or unexpected header values. Additionally, review your authentik configuration to ensure that the X-Forwarded-For header is not being trusted unnecessarily. After upgrading, confirm the fix by attempting a login with a crafted X-Forwarded-For header; the login should be rejected.
Update authentik to version 2024.8.3 or later. Alternatively, update to version 2024.6.5 or later. This corrects the password authentication bypass vulnerability via the X-Forwarded-For HTTP header.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47070 is a critical vulnerability in authentik versions 2024.6.0–2024.8.2 that allows attackers to bypass password login by manipulating the X-Forwarded-For header, potentially gaining unauthorized access to user accounts.
You are affected if you are running authentik versions 2024.6.0 through 2024.8.2 and your authentik instance trusts the X-Forwarded-For header provided by the attacker.
Upgrade authentik to version 2024.8.3 or later. If immediate upgrading is not possible, implement stricter validation of the X-Forwarded-For header at the reverse proxy level.
While no public exploits are currently known, the ease of exploitation makes it a potential target for opportunistic attackers.
Refer to the authentik security advisory: https://github.com/authentikapp/authentik/security/advisories/GHSA-9864-x49p-643r
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.