CVE-2024-47070: Critical Flaw in authentik Identity Provider Allows Authentication Bypass
A critical security vulnerability (CVE-2024-47070) has been discovered in the popular Identity Provider (IdP) and Single Sign-On (SSO) solution, authentik. Rated with a high CVSS score of 9.1, this flaw allows attackers to bypass password authentication policies under certain conditions, raising serious concerns for organizations using affected versions of the software.
Authored with security in mind, authentik is designed to provide secure, flexible identity management and authentication solutions for site administrators, application developers, and security engineers. Despite its robust features, a flaw was discovered in how the platform handles the X-Forwarded-For HTTP header—commonly used in reverse proxy setups to pass the originating client’s IP address to the backend server.
The vulnerability, identified as CVE-2024-47070, allows an attacker to bypass password authentication by manipulating the X-Forwarded-For header. By inserting an unparsable value (e.g., “a”) into the header, the authentik system can be tricked into skipping critical authentication policies tied to the password stage. This exploit enables unauthorized access to user accounts with a known login or email address, without needing the correct password.
The vulnerability poses a significant risk in configurations where:
- authentik is accessible without a reverse proxy (and
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRSis not set correctly) - The reverse proxy setup doesn’t correctly overwrite the X-Forwarded-For header
- Policies are applied to authentication/authorization flows
authentik versions up to and including 2024.8.2 and 2024.6.4 are susceptible to this vulnerability. Organizations using these versions are strongly urged to take immediate action.
The authentik team has released patched versions:
Upgrading to one of these versions is the recommended fix.
If immediate patching isn’t possible, there’s a workaround:
- Configure your reverse proxy to always set the X-Forwarded-For header to a valid IP address
- Manually change the “Failure result” option on policy bindings to “Pass.” This prevents stage skipping even with malicious requests, but it’s a less secure option.
