Description
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Published: 2026-02-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass enabling unauthorized access
Action: Patch
AI Analysis

Impact

Authentik, an open‑source identity provider, is vulnerable to a forward authentication bypass. When a cookie is malformed, the authentik Proxy Provider used with Traefik or Caddy does not populate the required X-Authentik-* headers. This flaw allows an attacker to successfully authenticate without possessing valid credentials, thereby gaining potentially full application access. The weakness is a credential management flaw (CWE‑287).

Affected Systems

All installations of authentik before versions 2025.10.4 and 2025.12.4 that employ forward authentication with a Traefik or Caddy reverse proxy are affected. These older releases do not enforce proper cookie validation before setting the authentication headers. Updated releases starting with 2025.10.4 and 2025.12.4 contain the fix.

Risk and Exploitability

The vulnerability scores a CVSS of 8.6, indicating high severity. Its EPSS score is below 1 %, suggesting a low yet non‑zero likelihood of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. An attacker only needs to craft a malicious cookie and send it to the proxy; no additional privileges are required. If successful, the attacker can take over the application session and bypass normal security controls.

Generated by OpenCVE AI on April 17, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade authentik to version 2025.10.4 or later to apply the vendor patch that restores proper cookie validation and header generation.
  • Re‑configure the reverse proxy to enforce validation of the X-Authentik-* headers, ensuring that only authenticated requests contain the expected header values.
  • Regularly review authentication logs for patterns of missing or malformed headers, and investigate any anomalous access attempts promptly.

Generated by OpenCVE AI on April 17, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Goauthentik
Goauthentik authentik
Vendors & Products Goauthentik
Goauthentik authentik

Thu, 12 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Title authentik has a forward authentication bypass with broken cookie
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Goauthentik Authentik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-17T15:53:01.301Z

Reserved: 2026-02-05T18:35:52.356Z

Link: CVE-2026-25748

cve-icon Vulnrichment

Updated: 2026-02-17T15:52:58.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T20:16:10.473

Modified: 2026-02-19T15:23:42.360

Link: CVE-2026-25748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses