Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to bypass authentication without any privileges or user interaction by exploiting malformed cookies. As a result, unauthorized users may gain access to sensitive data or resources that should be protected by authentik's authentication mechanisms."}, {'type': 'paragraph', 'content': 'The impact is significant because the confidentiality of sensitive information can be compromised, although integrity and availability are not affected.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

CVE-2026-25748 is a high-severity vulnerability in the authentik Proxy Provider when used with Traefik or Caddy as reverse proxies. The issue occurs due to the handling of malformed session cookies. When a maliciously crafted cookie is presented, authentik fails to set the expected X-Authentik-* headers. Since some applications rely on these headers for authentication, their absence can allow attackers to bypass authentication and gain unauthorized access.

This vulnerability affects all authentik versions up to and including 2025.10.3 and 2025.12.3 and is fixed in versions 2025.10.4 and 2025.12.4.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the absence of expected X-Authentik-* headers when a malformed cookie is used during forward authentication with authentik Proxy Provider behind Traefik or Caddy reverse proxies.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your network or system, you can monitor HTTP requests passing through your reverse proxy and check for authentication requests where the X-Authentik-* headers are missing despite the presence of session cookies.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and inspect HTTP headers for requests to your protected applications. For example, using command-line tools like curl or tcpdump combined with grep or similar tools:'}, {'type': 'list_item', 'content': 'Use curl to send a request with a malformed or suspicious cookie and observe if the X-Authentik-* headers are set: curl -v --cookie "malformed_cookie=1" https://your-protected-app.example.com'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP traffic and filter for missing X-Authentik-* headers in requests: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -B 5 -A 5 'Cookie:'"}, {'type': 'paragraph', 'content': 'If you observe requests with cookies but without the expected X-Authentik-* headers, this may indicate exploitation attempts or the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade authentik to version 2025.10.4 or 2025.12.4, where the vulnerability has been fixed.

If upgrading immediately is not possible, it is advised to disable reverse proxy entries for applications using forward authentication to prevent exploitation.

There are no known workarounds other than applying the patch or disabling the affected proxy configurations.

Useful 0 Not Useful 0