CVE-2023-26481
📋 TL;DR
This vulnerability in authentik allows attackers to reset passwords for any user account when administrators create recovery links or send recovery URLs. Attackers can exploit insufficient token validation in recovery flows to gain unauthorized access. All authentik deployments with vulnerable recovery flow configurations are affected.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to full system compromise and data exfiltration.
Likely Case
Targeted account takeover of specific users for privilege escalation or data access.
If Mitigated
Limited to authorized password resets only for intended users with proper flow policies.
🎯 Exploit Status
Requires administrator to create recovery link or send recovery URL, but exploitation itself is straightforward once token is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.2.3, 2023.1.3, or 2022.12.2
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2023.2.3, 2023.1.3, or 2022.12.2 using your deployment method (Docker, Kubernetes, etc.). 3. Restart authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Add recovery flow policy
allAdd policy to recovery flows that checks if flow is restored and skips identification stage
Modify recovery flow policies to include check for request.context['is_restored']
Disable vulnerable recovery flows
allTemporarily disable or remove recovery flows with both Identification and Email stages
Disable affected recovery flows in authentik admin interface
🧯 If You Can't Patch
- Implement strict access controls on who can create recovery links
- Monitor and audit all recovery link creation and usage
🔍 How to Verify
Check if Vulnerable:
Check if running authentik version earlier than 2023.2.3, 2023.1.3, or 2022.12.2 and if recovery flows exist with both Identification and Email stages without proper 'is_restored' policy.Check Version:
docker exec authentik authentik version (for Docker) or check deployment manifest/configurationVerify Fix Applied:
Confirm authentik version is 2023.2.3, 2023.1.3, or 2022.12.2 or later, and test recovery flow functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset attempts
- Recovery flow usage for unexpected users
- Multiple failed then successful authentication from same source
Network Indicators:
- Unusual patterns in authentication API calls
- Spike in password reset requests
SIEM Query:
source="authentik" AND (event="password_reset" OR event="recovery_flow") | stats count by user