Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.0
Authentik: Inadequate Session Deletion in Database Storage
CVE-2025-29928
BIT-authentik-2025-29928
Summary
If you're using Authentik's non-default database session storage, deleting sessions won't log out users. This means users can keep accessing Authentik even after sessions are deleted. To fix this, update to version 2024.12.4 or 2025.2.3 or use the cache-based session storage, but be aware that this will log out all current users and require them to re-authenticate.
What to do
- Update authentik to version 2025.2.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | goauthentik | authentik |
< 2024.12.4 >= 2025.2.0, < 2025.2.3 cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* |
| Bitnami | – | authentik |
>= 2025.0.0, < 2025.2.3 Fix: upgrade to 2025.2.3
|
Original title
authentik's deletion of sessions did not revoke sessions when using database session storage
Original description
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
nvd CVSS3.1
8.0
Vulnerability type
CWE-384
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 7 Mar 2026