Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-42490

CVE-2024-42490: Goauthentik Authentik Auth Bypass Flaw

CVE-2024-42490 is an authentication bypass vulnerability in Goauthentik Authentik that allows unauthorized access to sensitive API endpoints. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-42490 Overview

CVE-2024-42490 is a broken access control vulnerability [CWE-285] in authentik, an open-source Identity Provider. Several API endpoints can be reached without proper authentication or authorization checks. The affected endpoints include /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Exploitation requires knowledge of the target object ID, and most IDs are UUIDv4 values that are not easily enumerable. Versions 2024.4.4, 2024.6.4, and 2024.8.0 remediate the issue.

Critical Impact

Unauthenticated access to authentik API endpoints can expose certificate material, including private keys, when an attacker obtains the object UUID.

Affected Products

  • goauthentik authentik versions prior to 2024.4.4
  • goauthentik authentik versions prior to 2024.6.4
  • goauthentik authentik versions prior to 2024.8.0

Discovery Timeline

  • 2024-08-22 - CVE-2024-42490 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-42490

Vulnerability Analysis

The vulnerability stems from missing authorization filters on several Django REST Framework API views in authentik. The view_certificate and view_private_key actions on the CertificateKeyPair API, plus the generic used_by action across multiple viewsets, did not apply object-level permission filtering. As a result, a request carrying an object UUID could retrieve sensitive data without the caller holding the required role. Certificate private keys are the most consequential exposure, since they can be used to impersonate services, sign tokens, or decrypt traffic that relies on the issued material.

Root Cause

The affected endpoints lacked the ObjectFilter permission class within the RBAC layer. Without that filter, authentik's REST views skipped the per-object authorization check and returned data once the URL resolved a valid object. The flaw is classified as Improper Authorization [CWE-285].

Attack Vector

The vulnerability is exploitable over the network without authentication. An attacker must know the UUID of the target object, which limits opportunistic exploitation. UUIDs may surface through logs, screenshots, backup files, or chained information disclosure. Once an ID is known, an attacker issues a direct HTTP GET request to the vulnerable endpoint to retrieve certificate content or used_by relationships.

python
# Patch excerpt: authentik/crypto/api.py
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()

# Patch excerpt: authentik/core/api/used_by.py
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):

Source: authentik commit 19318d4 and authentik commit 359b343. The fix imports and applies ObjectFilter so that RBAC checks run on every request to the affected viewset actions.

Detection Methods for CVE-2024-42490

Indicators of Compromise

  • Unexpected HTTP GET requests to /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/ or /view_private_key/ from sessions without administrative role bindings.
  • Repeated 200 OK responses on /api/v3/.../used_by/ endpoints originating from unauthenticated or low-privileged sessions.
  • Access patterns where the same client IP enumerates multiple UUIDs in quick succession against crypto endpoints.

Detection Strategies

  • Review authentik audit logs for model_viewed events on CertificateKeyPair objects not tied to administrator activity.
  • Correlate web server access logs against authentik RBAC assignments to flag privilege mismatches on sensitive API paths.
  • Hunt for view_private_key access in any environment still running authentik prior to the patched releases.

Monitoring Recommendations

  • Forward authentik application and access logs to a centralized analytics platform for retention and correlation.
  • Alert on any successful response to view_private_key and treat each event as a high-priority investigation.
  • Track outbound use of private keys, such as new TLS handshakes signed by exported certificates, to detect post-exfiltration abuse.

How to Mitigate CVE-2024-42490

Immediate Actions Required

  • Upgrade authentik to 2024.4.4, 2024.6.4, or 2024.8.0 or later, matching the appropriate release branch.
  • Rotate any certificate key pairs managed by authentik that may have been exposed before patching.
  • Audit recent API access logs for unauthorized calls to the affected crypto and used_by endpoints.

Patch Information

The fix is published in the GitHub Security Advisory GHSA-qxqc-27pr-wgc8. The patches add ObjectFilter to the affected viewsets, restoring RBAC enforcement on view_certificate, view_private_key, and used_by actions. Apply releases 2024.4.4, 2024.6.4, or 2024.8.0.

Workarounds

  • Restrict network exposure of the authentik API to trusted management networks using a reverse proxy or network policy.
  • Enforce strict logging and rotation of certificate key pair UUIDs, avoiding distribution of object IDs outside administrative channels.
  • Revoke and reissue any high-value certificates if the upgrade cannot be applied within the maintenance window.
bash
# Upgrade authentik with Docker Compose
export AUTHENTIK_TAG=2024.8.0
docker compose pull
docker compose up -d

# Verify version
docker compose exec server ak version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.