CVE-2026-25748

High CVSS: 8.6

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

Vendor

Goauthentik

Product

Authentik

CWE

CWE-287

Yayın Tarihi

2026-02-12 20:16:10

Güncelleme

2026-02-19 15:23:42

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Authentik HIGH Goauthentik 2026

Referanslar

https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4 https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4 https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp

Benzer Kayıtlar

Critical

CVE-2026-25227

authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using de…

High

CVE-2026-25922

authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source tha…

Medium

CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client…

Medium

CVE-2025-64708

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions,…

High

CVE-2025-53942

authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set o…

Medium

CVE-2025-52553

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token whi…