Files

Teffen Ellis 582812b3ec website: Flesh out docs split.

website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.

2025-07-01 21:53:19 +02:00

767 B

Raw Blame History

CVE-2023-39522

Reported by @markrassamni

Username enumeration attack

Summary

Using a recovery flow with an identification stage an attacker is able to determine if a username exists.

Patches

authentik 2023.5.6 and 2023.6.2 fix this issue.

Impact

Only setups configured with a recovery flow are impacted by this.

Details

An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both.

For more information

If you have any questions or comments about this advisory:

Email us at security@goauthentik.io

767 B Raw Blame History