CVE-2026-25748 | THREATINT

Description

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-12 | Updated 2026-02-17 | Assigner GitHub_M

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-287: Improper Authentication

Product status

>= 2025.10.0-rc1, < 2025.10.4

affected

>= 2025.10.0-rc1, < 2025.12.4

affected

References

github.com/...hentik/security/advisories/GHSA-fj56-5763-j8pp

github.com/...entik/authentik/releases/tag/version/2025.10.4

github.com/...entik/authentik/releases/tag/version/2025.12.4

cve.org (CVE-2026-25748)

nvd.nist.gov (CVE-2026-25748)

Download JSON