CVE-2024-47070
📋 TL;DR
This vulnerability allows attackers to bypass password authentication in authentik by sending a malformed X-Forwarded-For header containing a non-IP address value like 'a'. This enables logging into any account with a known username or email address without requiring the password. Organizations running affected authentik versions with improperly configured X-Forwarded-For header trust are vulnerable.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user account where the username/email is known, leading to unauthorized access to all applications and services protected by the authentik instance.
Likely Case
Targeted account compromise of specific users, potentially leading to data breaches, privilege escalation, or lateral movement within the organization.
If Mitigated
No impact if proper network segmentation and header validation are in place, as the attack requires the authentik instance to trust attacker-controlled X-Forwarded-For headers.
🎯 Exploit Status
Exploitation requires network access to send HTTP requests with custom headers to the authentik instance. The technique is simple and well-documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.8.3 or 2024.6.5
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2024.8.3 or 2024.6.5 using your deployment method (Docker, Kubernetes, etc.). 3. Restart the authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Configure proxy to strip X-Forwarded-For headers
allConfigure your reverse proxy or load balancer to strip or validate X-Forwarded-For headers from untrusted sources before they reach authentik.
# Example nginx configuration to strip X-Forwarded-For
proxy_set_header X-Forwarded-For $remote_addr;
# Example Apache configuration
RequestHeader unset X-Forwarded-For
Restrict network access to authentik
linuxLimit which networks can access the authentik instance to only trusted internal networks.
# Example firewall rule (iptables)
iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to prevent untrusted sources from reaching the authentik instance.
- Deploy a WAF or reverse proxy that validates and sanitizes X-Forwarded-For headers before they reach authentik.
🔍 How to Verify
Check if Vulnerable:
Check if your authentik version is earlier than 2024.8.3 and 2024.6.5. Test by attempting to authenticate with a malformed X-Forwarded-For header containing 'a'.Check Version:
docker exec authentik authentik version # for Docker deployments
# or check the web interface at /api/v3/version/Verify Fix Applied:
After updating, verify the version is 2024.8.3 or 2024.6.5. Test that authentication fails when sending malformed X-Forwarded-For headers.📡 Detection & Monitoring
Log Indicators:
- Authentication logs showing successful logins without password validation
- HTTP requests containing X-Forwarded-For headers with non-IP values like 'a'
- Exception logs related to IP parsing failures during authentication
Network Indicators:
- HTTP requests to authentication endpoints with custom X-Forwarded-For headers
- Unusual authentication patterns from single IP addresses
SIEM Query:
source="authentik" ("X-Forwarded-For: a" OR "authentication bypass" OR "password stage skipped")