Skip to content

recovery: consume token in transaction#19967

Merged
BeryJu merged 1 commit intogoauthentik:mainfrom
kolega-ai-dev:finding_8
Feb 3, 2026
Merged

recovery: consume token in transaction#19967
BeryJu merged 1 commit intogoauthentik:mainfrom
kolega-ai-dev:finding_8

Conversation

@kolega-ai-dev
Copy link
Contributor

@kolega-ai-dev kolega-ai-dev commented Feb 3, 2026
edited
Loading

Vulnerability identified and fix provided by Kolega.dev

Summary

Fixed a race condition vulnerability in the recovery token view that allowed token reuse via concurrent requests.

Vulnerability

The UseTokenView.get() method performed token existence check, retrieval, user login, and token deletion as separate non-atomic operations. An attacker with a valid recovery token could exploit the race window to authenticate multiple times using the same token before it was deleted.

Fix

Wrapped the entire token validation and consumption flow in transaction.atomic() with select_for_update() to ensure exclusive database row locking. This prevents concurrent requests from accessing the same token simultaneously, eliminating the race condition.

@FaizanKolega
security: prevent recovery token reuse via race condition
27eeb7b 
Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.
@kolega-ai-dev kolega-ai-dev requested a review from a team as a code owner February 3, 2026 08:39
@netlify
Copy link

netlify bot commented Feb 3, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 27eeb7b
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6981b461924662000737637b
😎 Deploy Preview https://deploy-preview-19967--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kolega-ai-dev kolega-ai-dev reopened this Feb 3, 2026
@BeryJu BeryJu changed the title security: prevent recovery token reuse via race condition recovery: use token in transaction Feb 3, 2026
@BeryJu BeryJu changed the title recovery: use token in transaction recovery: consume token in transaction Feb 3, 2026
@BeryJu BeryJu reopened this Feb 3, 2026
@codecov
Copy link

codecov bot commented Feb 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.22%. Comparing base (742472c) to head (27eeb7b).
⚠️ Report is 13 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #19967      +/-   ##
==========================================
- Coverage   93.26%   93.22%   -0.04%     
==========================================
  Files         968      968              
  Lines       53332    53391      +59     
==========================================
+ Hits        49738    49775      +37     
- Misses       3594     3616      +22
Flag Coverage Δ
conformance 38.06% <12.50%> (-0.02%) ⬇️
e2e 44.06% <12.50%> (-0.03%) ⬇️
integration 22.86% <0.00%> (-0.06%) ⬇️
unit 91.42% <100.00%> (+<0.01%) ⬆️
unit-migrate 91.46% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu added area:backend backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10 backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 labels Feb 3, 2026
@BeryJu BeryJu merged commit 5c5415b into goauthentik:main Feb 3, 2026
106 checks passed
authentik-automation bot pushed a commit that referenced this pull request Feb 3, 2026
@kolega-ai-dev @FaizanKolega @authentik-automation
recovery: consume token in transaction (#19967)
4a5c434 
security: prevent recovery token reuse via race condition

Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.

Co-authored-by: kolega.dev <faizan@kolega.ai>
@authentik-automation authentik-automation bot mentioned this pull request Feb 3, 2026
Merged
BeryJu pushed a commit that referenced this pull request Feb 3, 2026
@authentik-automation @kolega-ai-dev @FaizanKolega
recovery: consume token in transaction (cherry-pick #19967 to version…
7a52df2 
…-2025.10) (#19981)

recovery: consume token in transaction (#19967)

security: prevent recovery token reuse via race condition

Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.

Co-authored-by: Kolega.dev <security@kolega.ai>
Co-authored-by: kolega.dev <faizan@kolega.ai>
@BeryJu BeryJu added backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 and removed backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 labels Feb 3, 2026
authentik-automation bot pushed a commit that referenced this pull request Feb 3, 2026
@kolega-ai-dev @FaizanKolega @authentik-automation
recovery: consume token in transaction (#19967)
8e9aee4 
security: prevent recovery token reuse via race condition

Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.

Co-authored-by: kolega.dev <faizan@kolega.ai>
@authentik-automation authentik-automation bot mentioned this pull request Feb 3, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Feb 3, 2026

🍒 Cherry-pick to version-2025.12 created: #19986

BeryJu pushed a commit that referenced this pull request Feb 3, 2026
@authentik-automation @kolega-ai-dev @FaizanKolega
recovery: consume token in transaction (cherry-pick #19967 to version…
42c2adb 
…-2025.12) (#19986)

recovery: consume token in transaction (#19967)

security: prevent recovery token reuse via race condition

Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.

Co-authored-by: Kolega.dev <security@kolega.ai>
Co-authored-by: kolega.dev <faizan@kolega.ai>
kensternberg-authentik added a commit that referenced this pull request Feb 4, 2026
@kensternberg-authentik
Merge branch 'main' into dev
a2f5ad0 
* main: (26 commits)
  providers/saml: auto pull signature algorithm options (#17614)
  core, web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /packages/prettier-config (#19990)
  web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /web (#19989)
  stages/authenticator_webauthn: fix double JSON encoding of webauthn options (#19952)
  core: bump django from 5.2.10 to 5.2.11 (#19988)
  ci: allow setting assignee to fail (#19985)
  root: revert enterprise loading behaviour (#19485)
  web/flows: update flow background (#19974)
  providers/oauth2: use compare_digest for client_secret comparison (#19979)
  recovery: consume token in transaction (#19967)
  core: ask for token duration on recovery link/email by admin (#19875)
  core: bump aws-cdk-lib from 2.236.0 to 2.237.0 (#19958)
  web: bump the storybook group across 1 directory with 5 updates (#19960)
  core: bump library/nginx from `c881927` to `7fe5dda` in /website (#19961)
  core: bump gunicorn from 25.0.0 to 25.0.1 (#19959)
  core: bump goauthentik.io/api/v3 to 3.2026.2.0-rc1-1770129730 (#19973)
  lifecycle: bump shm size (#19369)
  crypto: Add ED25519 and ED448 support to the certificate builder (#19465)
  web/admin: Register stage elements. Fix linter warnings (#19948)
  web: bump knip from 5.82.1 to 5.83.0 in /web (#19962)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

No one assigned

Labels

area:backend backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10 backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kolega-ai-dev @BeryJu @FaizanKolega