CVE-2026-40166: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in goauthentik authentik
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
AI Analysis
Technical Summary
In goauthentik authentik, a sensitive information exposure vulnerability (CWE-200) exists in versions before 2025.12.5 and from 2026.2.0-rc1 up to but not including 2026.2.3. Authenticated users with limited privileges who hold at least one OAuth2 access token can access the client_secret of confidential OAuth2 providers via the GET /api/v3/oauth2/access_tokens/ API endpoint. The response improperly includes the client_secret in the nested provider object, violating access control expectations. This vulnerability has been addressed by removing the exposure in versions 2025.12.5 and 2026.2.3.
Potential Impact
The vulnerability allows unauthorized disclosure of client_secret credentials for confidential OAuth2 providers to authenticated users without admin privileges. This exposure can lead to compromise of OAuth2 client credentials, potentially enabling unauthorized access or impersonation of OAuth2 clients. The CVSS 4.0 score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond authenticated user, and high confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade affected authentik installations to version 2025.12.5 or later, or to version 2026.2.3 or later, where this vulnerability has been fixed. No other mitigation or temporary workaround is documented. Patch status is confirmed fixed in these versions.
CVE-2026-40166: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in goauthentik authentik
Description
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In goauthentik authentik, a sensitive information exposure vulnerability (CWE-200) exists in versions before 2025.12.5 and from 2026.2.0-rc1 up to but not including 2026.2.3. Authenticated users with limited privileges who hold at least one OAuth2 access token can access the client_secret of confidential OAuth2 providers via the GET /api/v3/oauth2/access_tokens/ API endpoint. The response improperly includes the client_secret in the nested provider object, violating access control expectations. This vulnerability has been addressed by removing the exposure in versions 2025.12.5 and 2026.2.3.
Potential Impact
The vulnerability allows unauthorized disclosure of client_secret credentials for confidential OAuth2 providers to authenticated users without admin privileges. This exposure can lead to compromise of OAuth2 client credentials, potentially enabling unauthorized access or impersonation of OAuth2 clients. The CVSS 4.0 score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond authenticated user, and high confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade affected authentik installations to version 2025.12.5 or later, or to version 2026.2.3 or later, where this vulnerability has been fixed. No other mitigation or temporary workaround is documented. Patch status is confirmed fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T19:31:56.014Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10ab41e1370fbb483c5684
Added to database: 5/22/2026, 7:15:13 PM
Last enriched: 5/22/2026, 7:29:56 PM
Last updated: 5/23/2026, 7:27:09 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.