Description

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

INFO

Published Date :

2025-03-28T14:42:39.542Z

Last Modified :

2025-03-28T15:41:39.773Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-29928 vulnerability.

Vendors Products
Goauthentik
  • Authentik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-29928.

URL Resource
https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6 cve-icon cve-icon
https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact