{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25748", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.356Z", "datePublished": "2026-02-12T19:36:45.631Z", "dateUpdated": "2026-02-17T15:53:01.301Z"}, "containers": {"cna": {"title": "authentik has a forward authentication bypass with broken cookie", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp"}, {"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"}, {"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"version": ">= 2025.10.0-rc1, < 2025.10.4", "status": "affected"}, {"version": ">= 2025.10.0-rc1, < 2025.12.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:36:45.631Z"}, "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue."}], "source": {"advisory": "GHSA-fj56-5763-j8pp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:52:54.989237Z", "id": "CVE-2026-25748", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:53:01.301Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:52:54.989237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:52:58.083Z"}}], "cna": {"title": "authentik has a forward authentication bypass with broken cookie", "source": {"advisory": "GHSA-fj56-5763-j8pp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"status": "affected", "version": ">= 2025.10.0-rc1, < 2025.10.4"}, {"status": "affected", "version": ">= 2025.10.0-rc1, < 2025.12.4"}]}], "references": [{"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp", "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:36:45.631Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25748", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:53:01.301Z", "dateReserved": "2026-02-05T18:35:52.356Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T19:36:45.631Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "D68BD58B-CB50-411F-862F-FF4F4F984239", "versionEndExcluding": "2025.10.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "A59D4BC9-5FAE-4A4F-A109-D754BD80A10C", "versionEndExcluding": "2025.12.4", "versionStartIncluding": "2025.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue."}], "id": "CVE-2026-25748", "lastModified": "2026-02-19T15:23:42.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-12T20:16:10.473", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0-rc1,2025.10.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.10.0-rc1,2025.12.4)"}}], "product": "authentik", "vendor": "goauthentik"}], "analysis": {"en": {"generated_at": "2026-04-17T20:01:28.955789+00:00", "value": {"mitigation_remediation": ["Upgrade authentik to version 2025.10.4 or later to apply the vendor patch that restores proper cookie validation and header generation.", "Re\u2011configure the reverse proxy to enforce validation of the X-Authentik-* headers, ensuring that only authenticated requests contain the expected header values.", "Regularly review authentication logs for patterns of missing or malformed headers, and investigate any anomalous access attempts promptly."], "summary": {"action": "Patch", "impact": "Authentication Bypass enabling unauthorized access"}, "threat_synthesis": {"affected_systems": "All installations of authentik before versions 2025.10.4 and 2025.12.4 that employ forward authentication with a Traefik or Caddy reverse proxy are affected. These older releases do not enforce proper cookie validation before setting the authentication headers. Updated releases starting with 2025.10.4 and 2025.12.4 contain the fix.", "description_and_impact": "Authentik, an open\u2011source identity provider, is vulnerable to a forward authentication bypass. When a cookie is malformed, the authentik Proxy Provider used with Traefik or Caddy does not populate the required X-Authentik-* headers. This flaw allows an attacker to successfully authenticate without possessing valid credentials, thereby gaining potentially full application access. The weakness is a credential management flaw (CWE\u2011287).", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.6, indicating high severity. Its EPSS score is below 1\u202f%, suggesting a low yet non\u2011zero likelihood of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. An attacker only needs to craft a malicious cookie and send it to the proxy; no additional privileges are required. If successful, the attacker can take over the application session and bypass normal security controls."}}}}, "created": "2026-02-13T21:29:31.263579+00:00", "updated": "2026-04-17T20:15:26.986786+00:00", "vendors": ["goauthentik", "goauthentik$PRODUCT$authentik"]}