mirror of
https://github.com/goauthentik/authentik
synced 2026-04-28 02:18:11 +02:00
aeb2457767
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
# CVE-2026-25748
|
|
|
|
_Reported by [@imlonghao](https://github.com/imlonghao)_
|
|
|
|
## Forward authentication bypass with malformed session cookie on Traefik and Caddy
|
|
|
|
### Summary
|
|
|
|
With a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik **Proxy Provider** when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific `X-Authentik-*` headers were set which depending on application can grant access to an attacker.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.10.4 and 2025.12.4 fix this issue.
|
|
|
|
### Impact
|
|
|
|
Depending on the behavior of applications (based on if they require an `X-Authentik` header being present) behind the Proxy Provider, attackers are potentially able to gain full access to the application.
|
|
|
|
### Workarounds
|
|
|
|
There are no workarounds. If an upgrade is not possible, it is recommended to deactivate the reverse proxy entries for any applications using forward authentication until authentik can be upgraded.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|