CVE-2026-25748
HIGH WAF: Low
CVSS 7.5
Published: 2026-02-12
CWE-287
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| goauthentik | authentik | up to 2025.10.4 |
| goauthentik | authentik | 2025.12.0 - 2025.12.4 |
References
- github.com (Product, Release Notes)
- github.com (Product, Release Notes)
- github.com (Vendor Advisory)