8.6
CVE-2026-25748
- EPSS 0.48%
- Veröffentlicht 12.02.2026 19:36:45
- Zuletzt bearbeitet 19.02.2026 15:23:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
authentik has a forward authentication bypass with broken cookie
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Goauthentik ≫ Authentik Version < 2025.10.4
Goauthentik ≫ Authentik Version >= 2025.12.0 < 2025.12.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.375 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 8.6 | 3.9 | 4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4
https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4
https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp