Description

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

INFO

Published Date :

2026-02-12T19:36:45.631Z

Last Modified :

2026-02-17T15:53:01.301Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25748 vulnerability.

Vendors Products
Goauthentik
  • Authentik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25748.

URL Resource
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4 cve-icon cve-icon
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4 cve-icon cve-icon
https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact