# CVE-2024-47077

_Reported by [@quentinmit](https://github.com/quentinmit)_

## Insufficient cross-provider token validation during introspection

### Summary

Access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access.

### Details

The proxy provider uses `/application/o/introspect/` to validate bearer tokens provided in the `Authorization` header:

The implementation of this endpoint separately validates the `client_id` and `client_secret` (which are that of the proxy provider) and the `token` without validating that they correspond to the same provider.

### Patches

authentik 2024.6.5 and 2024.8.3 fix this issue.

### For more information

If you have any questions or comments about this advisory:

-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)