Authentik OAuth2 Client Secret Exposure Vulnerability for Low-Privilege Users

A vulnerability in authentik, an open-source identity provider, allows authenticated non-admin users with at least one OAuth2 access token to access the client_secret of confidential OAuth2 providers they have previously authenticated with. This sensitive information is exposed through the API endpoint /api/v3/oauth2/access_tokens/. The vulnerability exists in authentik versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2.

Impact

Exploitation of this vulnerability allows unauthorized users to access confidential client secrets of OAuth2 providers, potentially leading to misuse of client credentials depending on the provider's configuration.

Remediation

Users can upgrade to authentik versions 2025.12.5 or 2026.2.3 to address this vulnerability. For versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, it is recommended to restrict API access to /api/v3/oauth2/access_tokens/ for non-admin users or to review and limit which users can complete OAuth2 flows with confidential providers until a patched version is applied.