Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-47070

CVE-2024-47070: Goauthentik Auth Bypass Vulnerability

CVE-2024-47070 is an authentication bypass flaw in Goauthentik Authentik that allows attackers to skip password verification using malformed X-Forwarded-For headers. This article covers technical details, affected versions, and patches.

Published:

CVE-2024-47070 Overview

A critical authentication bypass vulnerability exists in authentik, an open-source identity provider, that allows attackers to completely bypass password authentication by manipulating the X-Forwarded-For header. By supplying an unparsable IP address value (such as the single character a) in this header, attackers can skip the password verification stage entirely and gain unauthorized access to any account where the login or email address is known.

Critical Impact

Complete authentication bypass enabling unauthorized access to any user account without password verification, potentially compromising all identities managed by the affected authentik instance.

Affected Products

  • goauthentik authentik versions prior to 2024.8.3
  • goauthentik authentik versions prior to 2024.6.5

Discovery Timeline

  • 2024-09-27 - CVE-2024-47070 published to NVD
  • 2025-08-21 - Last updated in NVD database

Technical Details for CVE-2024-47070

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287) stems from improper input validation of the X-Forwarded-For HTTP header combined with a policy binding misconfiguration in authentik's default blueprint. The vulnerability affects the password authentication stage in authentik's login flow, where a policy is bound to determine whether the password stage should be executed or skipped.

The authentication flow in authentik can be configured with an Identification stage that optionally includes an embedded password stage. A policy bound to the password stage checks whether to skip it if the Identification stage already handles password verification. However, when the X-Forwarded-For header contains an invalid IP address value, the validation exception occurs too late in the processing chain, causing the bound policy to fail.

The default blueprint does not correctly set failure_result to True on the policy binding, which means when the policy throws an exception due to the malformed header, it returns False instead of True. This causes the password stage to be incorrectly skipped, allowing authentication to proceed without password verification.

Root Cause

The root cause is twofold: insufficient early validation of the X-Forwarded-For header to ensure it contains a valid IP address format, and an insecure default configuration in the policy binding that treats exceptions as successful policy evaluations (skip password) rather than failures (require password). The X-Forwarded-For header value is not validated as a proper IP address early enough in the request processing, allowing malformed values to propagate and cause exceptions in policy evaluation.

Attack Vector

The attack is network-based and requires the authentik instance to trust the X-Forwarded-For header provided by the attacker. This typically occurs when authentik is deployed behind a reverse proxy but the proxy is misconfigured or bypassed, or when the attacker has direct network access to the authentik server. The attacker simply needs to know a valid username or email address of a target account and inject a malformed X-Forwarded-For header value in their authentication request.

python
# Security patch adding IP address validation
# Source: https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29

from collections.abc import Callable
from hashlib import sha512
+from ipaddress import ip_address
from time import perf_counter, time
from typing import Any

The patch imports Python's ipaddress module to properly validate IP addresses early in the middleware processing chain, preventing malformed values from causing exceptions in downstream policy evaluation.

Detection Methods for CVE-2024-47070

Indicators of Compromise

  • Authentication log entries showing successful logins without corresponding password verification events
  • HTTP requests containing malformed X-Forwarded-For header values (non-IP address strings like a, test, or other invalid formats)
  • Unusual login patterns for accounts, particularly from unexpected source addresses or rapid successive authentications
  • Audit trail anomalies showing authentication events bypassing normal flow stages

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests with malformed X-Forwarded-For headers containing non-IP values
  • Monitor authentik authentication logs for login events that complete without password stage execution
  • Configure alerting on authentication attempts with invalid header formats targeting the identity provider
  • Review reverse proxy logs for requests with suspicious header manipulation patterns

Monitoring Recommendations

  • Enable detailed authentication flow logging in authentik to capture stage execution details
  • Set up alerts for authentication events where the password stage policy evaluation fails or is skipped unexpectedly
  • Monitor for reconnaissance activity such as enumeration of valid usernames or email addresses
  • Implement network-level monitoring to detect direct access attempts to authentik bypassing the reverse proxy

How to Mitigate CVE-2024-47070

Immediate Actions Required

  • Upgrade authentik to version 2024.8.3 or 2024.6.5 immediately to address this critical vulnerability
  • Review authentication logs for any evidence of exploitation attempts or unauthorized access
  • Verify that your reverse proxy configuration does not allow untrusted clients to set the X-Forwarded-For header
  • Force password resets for any accounts where unauthorized access is suspected

Patch Information

The vulnerability has been fixed in authentik versions 2024.8.3 and 2024.6.5. The fix adds proper IP address validation using Python's ipaddress module early in the middleware processing chain. Additionally, the patches update the default blueprint configuration to properly handle policy evaluation failures. For detailed information, refer to the GitHub Security Advisory GHSA-7jxf-mmg9-9hg7.

Relevant commits:

Workarounds

  • Configure your reverse proxy (nginx, Traefik, etc.) to strip or sanitize incoming X-Forwarded-For headers from untrusted sources before forwarding to authentik
  • Ensure authentik is not directly accessible from untrusted networks; all traffic should flow through a properly configured reverse proxy
  • Implement network segmentation to prevent direct attacker access to the authentik server
  • Consider temporarily disabling trust of forwarded headers until patching is complete
bash
# Example nginx configuration to sanitize X-Forwarded-For
# Only trust X-Forwarded-For from known proxy addresses
proxy_set_header X-Forwarded-For $remote_addr;
# Or to completely remove untrusted headers:
proxy_set_header X-Forwarded-For "";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.