We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-29928

authentik's deletion of sessions did not revoke sessions when using database session storage



Description

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

Reserved 2025-03-12 | Published 2025-03-28 | Updated 2025-03-28 | Assigner GitHub_M


HIGH: 8.0CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Problem types

CWE-384: Session Fixation

Product status

< 2024.12.4
affected

< 2025.2.3
affected

References

github.com/...hentik/security/advisories/GHSA-p6p8-f853-9g2p

github.com/...ommit/71294b7deb6eb5726a782de83b957eaf25fc4cf6

cve.org (CVE-2025-29928)

nvd.nist.gov (CVE-2025-29928)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-29928

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.