Authentik is a popular open source identity provider that can be self-hosted. SUSE IT is considering to use this software internally in the future and thus we have been asked to have a look at its security.

The Authentik version we examined was 2024.8.3. Beyond the finding in this report, we also discovered the possibility to access SSL private keys without authentication, but this was independently discovered and fixed in parallel by upstream before we had a chance to report it. The only CVE-worthy finding that was left is discussed in the next section. Some general insights into the security of Authentik are given in section 3).