From 63dbcd37de009be2fdde7871caf66a416ea88a02 Mon Sep 17 00:00:00 2001
From: "authentik-automation[bot]"
 <135050075+authentik-automation[bot]@users.noreply.github.com>
Date: Tue, 12 May 2026 20:15:05 +0200
Subject: [PATCH] internal: Automated internal backport:
 CVE-2026-40166.sec.patch to authentik-2025.12 (#22276)

Automated internal backport of patch CVE-2026-40166.sec.patch to authentik-2025.12

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
---
 authentik/providers/oauth2/api/tokens.py     |  4 +--
 schema.yml                                   |  4 +--
 website/docs/security/cves/CVE-2026-40166.md | 27 ++++++++++++++++++++
 3 files changed, 31 insertions(+), 4 deletions(-)
 create mode 100644 website/docs/security/cves/CVE-2026-40166.md

diff --git a/authentik/providers/oauth2/api/tokens.py b/authentik/providers/oauth2/api/tokens.py
index ba77860573..8c93337b6c 100644
--- a/authentik/providers/oauth2/api/tokens.py
+++ b/authentik/providers/oauth2/api/tokens.py
@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 
 
@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
     """Serializer for BaseGrantModel and ExpiringBaseGrant"""
 
     user = UserSerializer()
-    provider = OAuth2ProviderSerializer()
+    provider = ProviderSerializer()
     scope = ListField(child=CharField())
 
     class Meta:
diff --git a/schema.yml b/schema.yml
index 5c64df5705..33d0e49bb0 100644
--- a/schema.yml
+++ b/schema.yml
@@ -37591,7 +37591,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/OAuth2Provider'
+          $ref: '#/components/schemas/Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:
@@ -54639,7 +54639,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/OAuth2Provider'
+          $ref: '#/components/schemas/Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:
diff --git a/website/docs/security/cves/CVE-2026-40166.md b/website/docs/security/cves/CVE-2026-40166.md
new file mode 100644
index 0000000000..7668bce31f
--- /dev/null
+++ b/website/docs/security/cves/CVE-2026-40166.md
@@ -0,0 +1,27 @@
+# CVE-2026-40166
+
+_Reported by [@Colbascov](https://github.com/Colbascov)_
+
+## Non-admin users can read confidential OAuth provider client secrets via the access token endpoint
+
+### Summary
+
+Authenticated non-admin users with at least one OAuth2 access token can retrieve the `client_secret` of confidential OAuth2 providers they have previously authenticated against, via `GET /api/v3/oauth2/access_tokens/`. The API response includes a nested `provider` object containing `client_id` and `client_secret` for providers configured with `client_type: confidential`, which should not be accessible to low-privilege users.
+
+### Patches
+
+authentik 2025.12.5 and 2026.2.3 fix this issue; for other versions the workaround can be used.
+
+### Impact
+
+Any authenticated non-admin user who has previously completed an OAuth2 flow against a confidential provider — and therefore has an access token object returned by `/api/v3/oauth2/access_tokens/` — can read that provider's `client_secret`. Exposure is limited to providers the user has access to and has logged into at least once; users cannot read secrets for providers they have never authenticated against. This could allow unauthorized reuse of confidential client credentials depending on the provider configuration.
+
+### Workarounds
+
+Restrict API access to `/api/v3/oauth2/access_tokens/` for non-admin users, or review and limit which users are permitted to complete OAuth2 flows against confidential providers until a patched version can be applied.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [[security@goauthentik.io](mailto:security@goauthentik.io)](mailto:security@goauthentik.io)