Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Malformed cookie bypasses authentik authentication with some proxies
CVE-2026-25748
BIT-authentik-2026-25748
Summary
An attacker could create a malformed cookie that bypasses authentik authentication when using certain reverse proxies. This could give an attacker access to your application. Update to authentik 2025.10.4 or 2025.12.4 to fix this issue.
What to do
- Update authentik to version 2025.12.4.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | goauthentik | authentik |
< 2025.10.4 >= 2025.12.0, < 2025.12.4 cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* |
| Bitnami | – | authentik |
>= 2025.10.0, < 2025.12.4 Fix: upgrade to 2025.12.4
|
Original title
authentik has a forward authentication bypass with broken cookie
Original description
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
nvd CVSS3.1
7.5
Vulnerability type
CWE-287
Improper Authentication
- https://github.com/goauthentik/authentik/releases/tag/version%2F2025.10.4 Product Release Notes
- https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.4 Product Release Notes
- https://github.com/goauthentik/authentik/security/advisories/GHSA-fj56-5763-j8pp Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25748 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 6 Mar 2026