# CVE-2023-39522

_Reported by [@markrassamni](https://github.com/markrassamni)_

## Username enumeration attack

### Summary

Using a recovery flow with an identification stage an attacker is able to determine if a username exists.

### Patches

authentik 2023.5.6 and 2023.6.2 fix this issue.

### Impact

Only setups configured with a recovery flow are impacted by this.

### Details

An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both.

### For more information

If you have any questions or comments about this advisory:

-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)