CVE-2024-52287
📋 TL;DR
This vulnerability in authentik allows attackers to obtain OAuth tokens with unauthorized scopes when using client_credentials or device_code grants. Attackers can gain access to resources beyond their intended permissions. All authentik deployments using these OAuth grant types are affected.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain tokens with administrative scopes, gaining full control over the identity provider and potentially accessing all connected applications and user data.
Likely Case
Attackers obtain tokens with elevated privileges, accessing sensitive applications or data they shouldn't have permission to access.
If Mitigated
Attackers can only obtain tokens with properly configured scopes, limiting unauthorized access to intended resources only.
🎯 Exploit Status
Exploitation requires valid OAuth client credentials but can bypass scope restrictions
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.8.5 or 2024.10.3
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2024.8.5 or 2024.10.3 using your deployment method (Docker, Kubernetes, etc.). 3. Restart authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable vulnerable grant types
allTemporarily disable client_credentials and device_code OAuth grant types until patching is possible
Edit authentik configuration to remove client_credentials and device_code from allowed grant types
🧯 If You Can't Patch
- Implement strict network segmentation to isolate authentik from sensitive applications
- Add additional authorization checks at application level to verify token scopes
🔍 How to Verify
Check if Vulnerable:
Check if authentik version is below 2024.8.5 and 2024.10.3, and verify if client_credentials or device_code grants are enabledCheck Version:
docker exec authentik authentik version (for Docker deployments) or check deployment manifest/configurationVerify Fix Applied:
Confirm authentik version is 2024.8.5 or 2024.10.3 or higher, and test that tokens cannot be obtained with unauthorized scopes📡 Detection & Monitoring
Log Indicators:
- Unusual token requests with unexpected scopes
- Tokens issued with scopes not configured for the client
Network Indicators:
- Increased token requests from single clients
- Token usage patterns showing access to unexpected resources
SIEM Query:
source="authentik" AND ("client_credentials" OR "device_code") AND "scope" NOT IN ["configured_scopes"]