CVE-2026-25748

HIGH

authentik <2025.10.4, <2025.12.4 - Auth Bypass

Title source: llm

Description

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

References (3)

Scores

CVSS v3 8.6
EPSS 0.0003
EPSS Percentile 9.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Classification

CWE
CWE-287
Status published

Affected Products (1)

goauthentik/authentik < 2025.10.4

Timeline

Published Feb 12, 2026
Tracked Since Feb 18, 2026