CVE-2026-40166

UNKNOWN 0.0

authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

1th

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.

CWE	CWE-200 CWE-863
Vendor	goauthentik
Product	authentik
Published	May 22, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for goauthentik authentik

Be the first to know when new unknown vulnerabilities affecting goauthentik authentik are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

goauthentik / authentik

< 2025.12.5 >= 2026.2.0-rc1, < 2026.2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4 github.com: https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5 github.com: https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3