CVSS 3.1 Score 7.5 of 10 (high)


Published Nov 21, 2023
Updated: Nov 29, 2023
CWE ID 287


CVE-2023-48228 is a high-severity vulnerability categorized as CWE-287 (Improper Authentication). It affects the authentik open-source identity provider prior to versions 2023.10.4 and 2023.8.5. This vulnerability occurs during the initialization of an oauth2 flow with a code_challenge and code_method when requesting PKCE. The issue arises when authentik fails to check if there is a matching and existing code_verifier during the token step, allowing it to accept token requests without the code_verifier. The potential danger of this vulnerability lies in the fact that an attacker could bypass authentication mechanisms and gain unauthorized access to systems or sensitive information. To remediate this issue, organizations are advised to update to authentik versions 2023.10.4 or 2023.8.5, which have fixed this vulnerability.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-48228 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options