Skip to content

[GHSA-vmf9-6pcv-xr87] Username enumeration attack in goauthentik#8720

Open
emilburzo wants to merge 1 commit into
emilburzo/advisory-improvement-8720from
emilburzo-GHSA-vmf9-6pcv-xr87
Open

[GHSA-vmf9-6pcv-xr87] Username enumeration attack in goauthentik#8720
emilburzo wants to merge 1 commit into
emilburzo/advisory-improvement-8720from
emilburzo-GHSA-vmf9-6pcv-xr87

Conversation

@emilburzo

Copy link
Copy Markdown

Updates

  • Affected products

Comments
The initial advisory incorrectly listed an npm ecosystem package. It has since been fixed on the repository advisory to Other.

How can we fix this one in the GitHub Advisory Database?

I've changed the package name to an invalid one since I wasn't able to specify Other, but I'm not sure that's the best way to handle it?

@github

github commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Hi there @BeryJu! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings July 16, 2026 13:41
@github-actions github-actions Bot changed the base branch from main to emilburzo/advisory-improvement-8720 July 16, 2026 13:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Corrects the affected product metadata for a goauthentik advisory, but substitutes fabricated npm package names instead of representing the upstream Other ecosystem.

Changes:

  • Updates the advisory modification timestamp.
  • Replaces both affected package names with nonexistent npm package names.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

"package": {
"ecosystem": "npm",
"name": "@goauthentik/api"
"name": "@goauthentik/api-doesnotexist"
"package": {
"ecosystem": "npm",
"name": "@goauthentik/api"
"name": "@goauthentik/api-doesnotexist"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants