CVE-2024-52289

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation. authentik 2024.8.5 and 2024.10.3 fix this issue. As a workaround, When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54	Patch
https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj	Vendor Advisory
https://www.vicarius.io/vsociety/posts/cve-2024-52289-detect-authentik-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2024-52289-mitigate-authentik-vulnerability

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

History

23 Sep 2025, 19:15

Type	Values Removed	Values Added
References		() https://www.vicarius.io/vsociety/posts/cve-2024-52289-detect-authentik-vulnerability - () https://www.vicarius.io/vsociety/posts/cve-2024-52289-mitigate-authentik-vulnerability -

21 Aug 2025, 19:19

Type	Values Removed	Values Added
Summary		(es) authentik es un proveedor de identidad de código abierto. Las URI de redireccionamiento en el proveedor OAuth2 en authentik se verifican mediante una comparación de RegEx. Cuando no se configuran URI de redireccionamiento en un proveedor, authentik usará automáticamente el primer valor redirect_uri recibido como una URI de redireccionamiento permitida, sin escapar caracteres que tengan un significado especial en RegEx. De manera similar, la documentación tampoco tomó esto en consideración. Dado un proveedor con las URI de redireccionamiento configuradas en https://foo.example.com, un atacante puede registrar un dominio fooaexample.com y pasará la validación correctamente. authentik 2024.8.5 y 2024.10.3 solucionan este problema. Como workaround, al configurar proveedores OAuth2, asegúrese de escapar cualquier carácter comodín que no esté destinado a funcionar como comodín, por ejemplo, reemplace `.` con `\.`.
References	~~() https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54 -~~	() https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54 - Patch
References	~~() https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj -~~	() https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:goauthentik:authentik::::::::
First Time		Goauthentik Goauthentik authentik

21 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-21 18:15

Updated : 2025-09-23 19:15

NVD link : CVE-2024-52289

Mitre link : CVE-2024-52289

CVE.ORG link : CVE-2024-52289

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-185

Incorrect Regular Expression

9.8 /10