CVE-2025-29928

Published: Mar 28, 2025

Modified: Mar 28, 2025

PUBLISHED

CVSS v3.1

8.0

HIGH

Description

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

Vendor	Product	Versions
goauthentik	authentik	affected `< 2024.12.4` affected `< 2025.2.3`

Weaknesses (CWE)

CWE-384

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-29928

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References