CVE-2024-47070 Overview
A critical authentication bypass vulnerability exists in authentik, an open-source identity provider, that allows attackers to completely bypass password authentication by manipulating the X-Forwarded-For header. By supplying an unparsable IP address value (such as the single character a) in this header, attackers can skip the password verification stage entirely and gain unauthorized access to any account where the login or email address is known.
Critical Impact
Complete authentication bypass enabling unauthorized access to any user account without password verification, potentially compromising all identities managed by the affected authentik instance.
Affected Products
- goauthentik authentik versions prior to 2024.8.3
- goauthentik authentik versions prior to 2024.6.5
Discovery Timeline
- 2024-09-27 - CVE-2024-47070 published to NVD
- 2025-08-21 - Last updated in NVD database
Technical Details for CVE-2024-47070
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) stems from improper input validation of the X-Forwarded-For HTTP header combined with a policy binding misconfiguration in authentik's default blueprint. The vulnerability affects the password authentication stage in authentik's login flow, where a policy is bound to determine whether the password stage should be executed or skipped.
The authentication flow in authentik can be configured with an Identification stage that optionally includes an embedded password stage. A policy bound to the password stage checks whether to skip it if the Identification stage already handles password verification. However, when the X-Forwarded-For header contains an invalid IP address value, the validation exception occurs too late in the processing chain, causing the bound policy to fail.
The default blueprint does not correctly set failure_result to True on the policy binding, which means when the policy throws an exception due to the malformed header, it returns False instead of True. This causes the password stage to be incorrectly skipped, allowing authentication to proceed without password verification.
Root Cause
The root cause is twofold: insufficient early validation of the X-Forwarded-For header to ensure it contains a valid IP address format, and an insecure default configuration in the policy binding that treats exceptions as successful policy evaluations (skip password) rather than failures (require password). The X-Forwarded-For header value is not validated as a proper IP address early enough in the request processing, allowing malformed values to propagate and cause exceptions in policy evaluation.
Attack Vector
The attack is network-based and requires the authentik instance to trust the X-Forwarded-For header provided by the attacker. This typically occurs when authentik is deployed behind a reverse proxy but the proxy is misconfigured or bypassed, or when the attacker has direct network access to the authentik server. The attacker simply needs to know a valid username or email address of a target account and inject a malformed X-Forwarded-For header value in their authentication request.
# Security patch adding IP address validation
# Source: https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29
from collections.abc import Callable
from hashlib import sha512
+from ipaddress import ip_address
from time import perf_counter, time
from typing import Any
The patch imports Python's ipaddress module to properly validate IP addresses early in the middleware processing chain, preventing malformed values from causing exceptions in downstream policy evaluation.
Detection Methods for CVE-2024-47070
Indicators of Compromise
- Authentication log entries showing successful logins without corresponding password verification events
- HTTP requests containing malformed X-Forwarded-For header values (non-IP address strings like a, test, or other invalid formats)
- Unusual login patterns for accounts, particularly from unexpected source addresses or rapid successive authentications
- Audit trail anomalies showing authentication events bypassing normal flow stages
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with malformed X-Forwarded-For headers containing non-IP values
- Monitor authentik authentication logs for login events that complete without password stage execution
- Configure alerting on authentication attempts with invalid header formats targeting the identity provider
- Review reverse proxy logs for requests with suspicious header manipulation patterns
Monitoring Recommendations
- Enable detailed authentication flow logging in authentik to capture stage execution details
- Set up alerts for authentication events where the password stage policy evaluation fails or is skipped unexpectedly
- Monitor for reconnaissance activity such as enumeration of valid usernames or email addresses
- Implement network-level monitoring to detect direct access attempts to authentik bypassing the reverse proxy
How to Mitigate CVE-2024-47070
Immediate Actions Required
- Upgrade authentik to version 2024.8.3 or 2024.6.5 immediately to address this critical vulnerability
- Review authentication logs for any evidence of exploitation attempts or unauthorized access
- Verify that your reverse proxy configuration does not allow untrusted clients to set the X-Forwarded-For header
- Force password resets for any accounts where unauthorized access is suspected
Patch Information
The vulnerability has been fixed in authentik versions 2024.8.3 and 2024.6.5. The fix adds proper IP address validation using Python's ipaddress module early in the middleware processing chain. Additionally, the patches update the default blueprint configuration to properly handle policy evaluation failures. For detailed information, refer to the GitHub Security Advisory GHSA-7jxf-mmg9-9hg7.
Relevant commits:
Workarounds
- Configure your reverse proxy (nginx, Traefik, etc.) to strip or sanitize incoming X-Forwarded-For headers from untrusted sources before forwarding to authentik
- Ensure authentik is not directly accessible from untrusted networks; all traffic should flow through a properly configured reverse proxy
- Implement network segmentation to prevent direct attacker access to the authentik server
- Consider temporarily disabling trust of forwarded headers until patching is complete
# Example nginx configuration to sanitize X-Forwarded-For
# Only trust X-Forwarded-For from known proxy addresses
proxy_set_header X-Forwarded-For $remote_addr;
# Or to completely remove untrusted headers:
proxy_set_header X-Forwarded-For "";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
