CVE-2024-23647 Overview
CVE-2024-23647 is an authentication weakness in Authentik, an open-source Identity Provider developed by goauthentik. The flaw resides in the implementation of Proof Key for Code Exchange (PKCE) within the OAuth 2.0 authorization flow. An attacker can downgrade the authentication exchange by removing the code_challenge parameter from the authorization request. When this parameter is absent, Authentik fails to enforce the PKCE verification step, bypassing the protection PKCE provides against Cross-Site Request Forgery (CSRF) and authorization code injection attacks. Versions 2023.8.7 and 2023.10.7 remediate the issue. This vulnerability is categorized under [CWE-287] Improper Authentication.
Critical Impact
A network-based attacker can strip PKCE protections from OAuth flows, enabling authorization code injection and CSRF attacks against Authentik-protected applications.
Affected Products
- goauthentik authentik versions prior to 2023.8.7
- goauthentik authentik versions prior to 2023.10.7
- All Authentik deployments using OAuth 2.0 with PKCE enforcement
Discovery Timeline
- 2024-01-30 - CVE-2024-23647 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-23647
Vulnerability Analysis
The vulnerability is a PKCE downgrade flaw in Authentik's OAuth 2.0 authorization server. PKCE was designed by RFC 7636 to mitigate authorization code interception attacks, particularly for public clients. The client generates a code_verifier and transmits its hash as code_challenge in the authorization request. During token exchange, the client supplies the original code_verifier, which the server validates against the previously stored challenge.
Authentik conditionally applied PKCE verification based on the presence of code_challenge in the authorization request. If an attacker intercepted or crafted an authorization request without the code_challenge parameter, Authentik skipped the verifier check entirely at the token endpoint. This converts a PKCE-protected flow into a standard authorization code flow vulnerable to code interception and replay.
Root Cause
The root cause is a conditional enforcement defect [CWE-287]. The server treats PKCE as opt-in per request rather than per client registration. Authentik should reject token requests for clients configured to require PKCE when the authorization request lacks the code_challenge parameter. Instead, the server silently dropped enforcement when the parameter was missing.
Attack Vector
The attack requires user interaction and network-adjacent positioning to manipulate the OAuth flow. An attacker tricks a victim into initiating an authorization request that omits the code_challenge, or intercepts and strips the parameter from the request. With PKCE bypassed, the attacker can perform authorization code injection: inducing the victim's client to redeem an attacker-controlled authorization code, binding the victim's session to the attacker's account or vice versa.
No public proof-of-concept code has been published for CVE-2024-23647. Technical specifics are available in the GitHub Security Advisory GHSA-mrx3-gxjx-hjqj and the upstream commit.
Detection Methods for CVE-2024-23647
Indicators of Compromise
- OAuth authorization requests to Authentik endpoints missing the code_challenge parameter from clients that previously sent it.
- Token endpoint exchanges succeeding without an accompanying code_verifier parameter.
- Anomalous successful authentications followed by session use from a different geographic location or user agent.
Detection Strategies
- Inspect Authentik authorization server logs for /application/o/authorize/ requests where code_challenge is absent for clients that historically included it.
- Correlate token endpoint requests with their originating authorization requests to identify flows where PKCE enforcement was skipped.
- Alert on OAuth redirect URI mismatches and unusual referrer headers indicative of a malicious initiator.
Monitoring Recommendations
- Forward Authentik audit and event logs to a central SIEM for OAuth-flow correlation and historical analysis.
- Track per-client PKCE usage ratios and alert when a client's PKCE compliance drops unexpectedly.
- Monitor for repeated authentication attempts targeting the same user from different sources within short time windows.
How to Mitigate CVE-2024-23647
Immediate Actions Required
- Upgrade Authentik to version 2023.8.7, 2023.10.7, or later immediately.
- Audit all OAuth client configurations and require PKCE for every public client.
- Invalidate active sessions and refresh tokens issued before the patch was applied.
- Review authorization and token endpoint logs for evidence of authorization requests lacking code_challenge.
Patch Information
The maintainers released fixes in Authentik 2023.8.7 and 2023.10.7. The corrective change is published in the upstream commit 38e04ae. After patching, Authentik enforces PKCE verification when a client is configured to require it, regardless of whether code_challenge appears in the authorization request. Full advisory details are in the GitHub Security Advisory GHSA-mrx3-gxjx-hjqj.
Workarounds
- No official workaround exists. Upgrading is the only supported remediation.
- Restrict network access to the Authentik authorization endpoints to trusted networks until the patch is deployed.
- Require clients to use confidential client authentication with strong client secrets to reduce the impact of PKCE bypass.
# Upgrade Authentik via Docker Compose to a patched release
export AUTHENTIK_TAG=2023.10.7
docker compose pull
docker compose up -d
# Verify the running version
docker compose exec server ak version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

