CVE-2023-36456
📋 TL;DR
This vulnerability in authentik allows attackers to spoof IP addresses by manipulating X-Forwarded-For and X-Real-IP headers. It affects authentik deployments without reverse proxies, enabling IP bypass in authentication flows, log manipulation, and downstream application impact. Only setups directly accessible to users without reverse proxy protection are vulnerable.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected systems, including bypassing 2FA when IP-based policies are used.
Likely Case
IP spoofing leading to inaccurate logs, potential bypass of IP-based restrictions in custom flows, and downstream application impact.
If Mitigated
Minimal impact if reverse proxy properly validates headers or IP-based policies are not used.
🎯 Exploit Status
Exploitation requires direct access to authentik without reverse proxy. Simple header manipulation is sufficient.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.4.3 or 2023.5.5
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv
Restart Required: Yes
Instructions:
1. Update authentik to version 2023.4.3 or 2023.5.5. 2. Restart authentik services. 3. Verify the fix by checking version and testing header validation.
🔧 Temporary Workarounds
Deploy behind reverse proxy
allPlace authentik behind a properly configured reverse proxy that validates and strips untrusted X-Forwarded-For and X-Real-IP headers.
Disable IP-based policies
allTemporarily disable any authentication flows or policies that rely on IP address verification.
🧯 If You Can't Patch
- Deploy authentik behind a reverse proxy with proper header validation
- Audit and disable all IP-based authentication policies and flows
🔍 How to Verify
Check if Vulnerable:
Check if authentik version is below 2023.4.3 or 2023.5.5 and is directly accessible without reverse proxy.Check Version:
Check authentik version in admin interface or via API endpoint /api/v3/core/version/Verify Fix Applied:
After patching, test that X-Forwarded-For and X-Real-IP headers from untrusted sources are properly validated or ignored.📡 Detection & Monitoring
Log Indicators:
- Unexpected IP addresses in authentik logs
- Authentication attempts from IPs that shouldn't have access
Network Indicators:
- Direct HTTP requests to authentik with X-Forwarded-For or X-Real-IP headers
- Unusual authentication patterns
SIEM Query:
source="authentik" AND (http_header="X-Forwarded-For" OR http_header="X-Real-IP") AND NOT src_ip IN [trusted_proxy_ips]🔗 References
- https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff
- https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a
- https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv
- https://goauthentik.io/docs/releases/2023.4#fixed-in-202343
- https://goauthentik.io/docs/releases/2023.5#fixed-in-202355
- https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff
- https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a
- https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv
- https://goauthentik.io/docs/releases/2023.4#fixed-in-202343
- https://goauthentik.io/docs/releases/2023.5#fixed-in-202355
