apk package

chainguard/authentik-2026.2

pkg:apk/chainguard/authentik-2026.2

Vulnerabilities (33)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-54274		—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m
CVE-2026-54275	low	—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus
CVE-2026-54280	low	—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection
CVE-2026-54273		—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd
CVE-2026-54278		—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip
CVE-2026-54277		—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces
CVE-2026-54276		—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel
CVE-2026-54279	low	—	< 2026.2.4-r4	2026.2.4-r4	Jun 15, 2026	### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall
CVE-2026-45409	Med	5.3	< 2026.2.4-r1	2026.2.4-r1	Jun 5, 2026	Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t
CVE-2026-44503	Hig	—	< 2026.2.1-r9	2026.2.1-r9	May 14, 2026	The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Co
CVE-2026-44432	Hig	7.5	< 2026.2.1-r9	2026.2.1-r9	May 13, 2026	urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w
CVE-2026-44431	Med	5.3	< 2026.2.1-r9	2026.2.1-r9	May 13, 2026	urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
CVE-2026-6907	Med	4.3	< 2026.2.1-r9	2026.2.1-r9	May 5, 2026	An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django
CVE-2026-5766	Med	5.3	< 2026.2.1-r9	2026.2.1-r9	May 5, 2026	An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminde
CVE-2026-35192	Med	6.5	< 2026.2.1-r9	2026.2.1-r9	May 5, 2026	An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,
CVE-2026-28684	Med	6.6	< 2026.2.1-r5	2026.2.1-r5	Apr 20, 2026	python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a c
CVE-2026-39892	Cri	9.8	< 2026.2.1-r3	2026.2.1-r3	Apr 8, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-39373	Med	5.3	< 2026.2.1-r5	2026.2.1-r5	Apr 7, 2026	JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but do
CVE-2026-4292	Low	2.7	< 2026.2.1-r3	2026.2.1-r3	Apr 7, 2026	An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.
CVE-2026-4277	Cri	9.8	< 2026.2.1-r3	2026.2.1-r3	Apr 7, 2026	An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2

CVE-2026-54274Jun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m
CVE-2026-54275lowJun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus
CVE-2026-54280lowJun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection
CVE-2026-54273Jun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd
CVE-2026-54278Jun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip
CVE-2026-54277Jun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces
CVE-2026-54276Jun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel
CVE-2026-54279lowJun 15, 2026
affected < 2026.2.4-r4fixed 2026.2.4-r4
### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall
CVE-2026-45409MedJun 5, 2026
affected < 2026.2.4-r1fixed 2026.2.4-r1
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t
CVE-2026-44503HigMay 14, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Co
CVE-2026-44432HigMay 13, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w
CVE-2026-44431MedMay 13, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
CVE-2026-6907MedMay 5, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django
CVE-2026-5766MedMay 5, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminde
CVE-2026-35192MedMay 5, 2026
affected < 2026.2.1-r9fixed 2026.2.1-r9
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,
CVE-2026-28684MedApr 20, 2026
affected < 2026.2.1-r5fixed 2026.2.1-r5
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a c
CVE-2026-39892CriApr 8, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-39373MedApr 7, 2026
affected < 2026.2.1-r5fixed 2026.2.1-r5
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but do
CVE-2026-4292LowApr 7, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.
CVE-2026-4277CriApr 7, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2

Page 1 of 2