PKCE downgrade attack in Authentik
Description
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentik OAuth2 PKCE implementation suffers from a downgrade attack where removing the code_challenge from the authorization request bypasses PKCE checks, allowing CSRF and code injection attacks.
Vulnerability
Authentik's implementation of PKCE (Proof Key for Code Exchange) in OAuth2 flows contains a downgrade vulnerability (CVE-2024-23647). PKCE is designed to protect against CSRF and code injection attacks by requiring a code_challenge in the authorization request and a code_verifier in the token request. However, prior to versions 2023.8.7 and 2023.10.7, if an attacker removes the code_challenge parameter from the authorization request, authentik does not perform the PKCE check, effectively downgrading the protection [1][2].
Exploitation
An attacker can exploit this by initiating the authorization process without the code_challenge parameter, e.g., through a phishing link. The attacker then intercepts the authorization code and exchanges it for a token without needing the code_verifier. This bypasses the PKCE safeguard even if the OAuth client intended to use PKCE [2]. The attack is explicitly noted in the OAuth Security Best Current Practice as a PKCE downgrade attack that must be mitigated [2].
Impact
Successful exploitation allows an attacker to perform CSRF attacks and code injection attacks, potentially gaining unauthorized access to user accounts or performing actions on behalf of the user. The vulnerability undermines the security guarantees that PKCE provides for both public and confidential clients [1][2].
Mitigation
The issue is fixed in authentik versions 2023.8.7 and 2023.10.7 [2]. The fix adds a check that if a token request contains a code_verifier but the authorization code does not have a corresponding code_challenge, the request is rejected with an 'invalid_grant' error [4]. Users should upgrade to the patched versions immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
goauthentik.ioGo | >= 2023.10.0, < 2023.10.7 | 2023.10.7 |
goauthentik.ioGo | < 2023.8.7 | 2023.8.7 |
Affected products
3- osv-coords2 versions
< 2023.8.7+ 1 more
- (no CPE)range: < 2023.8.7
- (no CPE)range: >= 2023.10.0, < 2023.10.7
- goauthentik/authentikv5Range: < 2023.8.7
Patches
138e04ae12720security: fix CVE-2024-23647
1 file changed · +5 −1
authentik/providers/oauth2/views/token.py+5 −1 modified@@ -232,7 +232,7 @@ def __post_init_code(self, raw_code: str, request: HttpRequest): if self.authorization_code.code_challenge: # Authorization code had PKCE but we didn't get one if not self.code_verifier: - raise TokenError("invalid_request") + raise TokenError("invalid_grant") if self.authorization_code.code_challenge_method == PKCE_METHOD_S256: new_code_challenge = ( urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest()) @@ -245,6 +245,10 @@ def __post_init_code(self, raw_code: str, request: HttpRequest): if new_code_challenge != self.authorization_code.code_challenge: LOGGER.warning("Code challenge not matching") raise TokenError("invalid_grant") + # Token request had a code_verifier but code did not have a code challenge + # Prevent downgrade + if not self.authorization_code.code_challenge and self.code_verifier: + raise TokenError("invalid_grant") def __post_init_refresh(self, raw_token: str, request: HttpRequest): if not raw_token:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-mrx3-gxjx-hjqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23647ghsaADVISORY
- github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31aghsax_refsource_MISCWEB
- github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.