CVE-2025-29928

March 28, 2025, 6:11 p.m.

8.0
High

Description

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

Product(s) Impacted

Vendor Product Versions
Authentik
  • Authentik
  • <2024.12.4, 2024.12.4, <2025.2.3, 2025.2.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-384
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a authentik authentik <2024.12.4 / / / / / / /
a authentik authentik 2024.12.4 / / / / / / /
a authentik authentik <2025.2.3 / / / / / / /
a authentik authentik 2025.2.3 / / / / / / /

References

https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6
https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p

Tags

security-advisories@github.com
CWE-384
2025-03-28
CVE-2025-29928

CVSS Score

8.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

    View Vector String

Timeline

Published: March 28, 2025, 3:15 p.m.
Last Modified: March 28, 2025, 6:11 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.