CVE-2026-40166

Non-admin users can read confidential OAuth provider client secrets via the access token endpoint

Summary

Authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, via GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users.

Patches

authentik 2025.12.5 and 2026.2.3 fix this issue; for other versions the workaround can be used.

Impact

Any authenticated non-admin user who has previously completed an OAuth2 flow against a confidential provider — and therefore has an access token object returned by /api/v3/oauth2/access_tokens/ — can read that provider's client_secret. Exposure is limited to providers the user has access to and has logged into at least once; users cannot read secrets for providers they have never authenticated against. This could allow unauthorized reuse of confidential client credentials depending on the provider configuration.

Workarounds

Restrict API access to /api/v3/oauth2/access_tokens/ for non-admin users, or review and limit which users are permitted to complete OAuth2 flows against confidential providers until a patched version can be applied.

For more information

If you have any questions or comments about this advisory:

Email us at [[email protected]](mailto:security@goauthentik.io)

Non-admin users can read confidential OAuth provider client secrets via the access token endpoint​

Summary​

Patches​

Impact​

Workarounds​

For more information​