PT-2025-12554 · Authentik · Authentik
Published
2025-03-23
·
Updated
2026-04-16
·
CVE-2025-29928
CVSS v3.1
8.0
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
authentik versions prior to 2024.12.4
authentik versions prior to 2025.2.3
Description
The issue arises when authentik is configured to use the database for session storage, a non-default setting. In this configuration, deleting sessions via the Web Interface or the API does not revoke the session, allowing the session holder to continue accessing authentik.
Recommendations
For versions prior to 2024.12.4 and 2025.2.3, switch to cache-based session storage until an upgrade to a fixed version is possible, noting that this will delete all existing sessions and require users to re-authenticate.
Upgrade to version 2024.12.4 or 2025.2.3 to fix the issue.
Exploit
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Authentik