Okta
Products
16- 3 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
- 0 CVEs
- 0 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-24295 | Hig | 0.59 | 8.8 | 0.18 | Feb 21, 2022 | Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. | ||
| CVE-2023-0093 | Hig | 0.57 | 8.8 | 0.01 | Mar 6, 2023 | Okta Advanced Server Access Client versions 1.13.1 through 1.65.0 are vulnerable to command injection due to the third party library webbrowser. An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an… | ||
| CVE-2022-1030 | Hig | 0.57 | 8.8 | 0.01 | Mar 23, 2022 | Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has… | ||
| CVE-2024-10327 | Hig | 0.53 | 8.1 | 0.01 | Oct 24, 2024 | A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the… | ||
| CVE-2024-9875 | Hig | 0.46 | 7.1 | 0.00 | Nov 21, 2024 | Okta Privileged Access server agent (SFTD) versions 1.82.0 to 1.84.0 are affected by a privilege escalation vulnerability when the sudo command bundles feature is enabled. To remediate this vulnerability, upgrade the Okta Privileged Access server agent (SFTD) to version 1.87.1… | ||
| CVE-2024-9191 | Hig | 0.46 | 7.1 | 0.00 | Nov 1, 2024 | The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered… | ||
| CVE-2024-0981 | Hig | 0.46 | 7.1 | 0.00 | Jul 23, 2024 | Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields,… | ||
| CVE-2024-0980 | Hig | 0.46 | 7.1 | 0.00 | Mar 28, 2024 | The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code. | ||
| CVE-2021-28113 | Med | 0.45 | 6.7 | 0.22 | Apr 2, 2021 | A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account. | ||
| CVE-2025-7371 | Med | 0.44 | 6.8 | 0.00 | Jul 22, 2025 | Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during… | ||
| CVE-2023-0392 | Med | 0.44 | 6.7 | 0.00 | Nov 8, 2023 | The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution. | ||
| CVE-2024-7061 | Med | 0.36 | 5.5 | 0.00 | Aug 7, 2024 | Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking. The vulnerability is fixed in Okta Verify for Windows version 5.0.2. To remediate this vulnerability, upgrade to 5.0.2 or greater. | ||
| CVE-2022-1697 | Low | 0.25 | 3.9 | 0.00 | Sep 6, 2022 | Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path. Note: To remediate this vulnerability, you must uninstall Okta Active Directory Agent and reinstall Okta Active Directory Agent 3.12.0 or greater per the… | ||
| CVE-2022-3145 | Med | 0.24 | 4.7 | 0.00 | Jan 12, 2023 | An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. | ||
| CVE-2025-67505 | 0.00 | — | 0.00 | Dec 10, 2025 | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to… | |||
| CVE-2025-66033 | 0.00 | — | 0.00 | Dec 10, 2025 | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade… |
- risk 0.59cvss 8.8epss 0.18
Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.
- risk 0.57cvss 8.8epss 0.01
Okta Advanced Server Access Client versions 1.13.1 through 1.65.0 are vulnerable to command injection due to the third party library webbrowser. An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an…
- risk 0.57cvss 8.8epss 0.01
Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has…
- risk 0.53cvss 8.1epss 0.01
A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the…
- risk 0.46cvss 7.1epss 0.00
Okta Privileged Access server agent (SFTD) versions 1.82.0 to 1.84.0 are affected by a privilege escalation vulnerability when the sudo command bundles feature is enabled. To remediate this vulnerability, upgrade the Okta Privileged Access server agent (SFTD) to version 1.87.1…
- risk 0.46cvss 7.1epss 0.00
The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered…
- risk 0.46cvss 7.1epss 0.00
Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields,…
- risk 0.46cvss 7.1epss 0.00
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.
- risk 0.45cvss 6.7epss 0.22
A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.
- risk 0.44cvss 6.8epss 0.00
Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during…
- risk 0.44cvss 6.7epss 0.00
The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution.
- risk 0.36cvss 5.5epss 0.00
Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking. The vulnerability is fixed in Okta Verify for Windows version 5.0.2. To remediate this vulnerability, upgrade to 5.0.2 or greater.
- risk 0.25cvss 3.9epss 0.00
Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path. Note: To remediate this vulnerability, you must uninstall Okta Active Directory Agent and reinstall Okta Active Directory Agent 3.12.0 or greater per the…
- risk 0.24cvss 4.7epss 0.00
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.
- CVE-2025-67505Dec 10, 2025risk 0.00cvss —epss 0.00
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to…
- CVE-2025-66033Dec 10, 2025risk 0.00cvss —epss 0.00
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade…