CVE-2026-25748
Authentication Bypass via Malformed Cookie in authentik Proxy Provider
Publication date: 2026-02-12
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | From 2025.12.0 (inc) to 2025.12.4 (exc) |
| goauthentik | authentik | to 2025.10.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to bypass authentication without any privileges or user interaction by exploiting malformed cookies. As a result, unauthorized users may gain access to sensitive data or resources that should be protected by authentik's authentication mechanisms."}, {'type': 'paragraph', 'content': 'The impact is significant because the confidentiality of sensitive information can be compromised, although integrity and availability are not affected.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25748 is a high-severity vulnerability in the authentik Proxy Provider when used with Traefik or Caddy as reverse proxies. The issue occurs due to the handling of malformed session cookies. When a maliciously crafted cookie is presented, authentik fails to set the expected X-Authentik-* headers. Since some applications rely on these headers for authentication, their absence can allow attackers to bypass authentication and gain unauthorized access.
This vulnerability affects all authentik versions up to and including 2025.10.3 and 2025.12.3 and is fixed in versions 2025.10.4 and 2025.12.4.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the absence of expected X-Authentik-* headers when a malformed cookie is used during forward authentication with authentik Proxy Provider behind Traefik or Caddy reverse proxies.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your network or system, you can monitor HTTP requests passing through your reverse proxy and check for authentication requests where the X-Authentik-* headers are missing despite the presence of session cookies.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and inspect HTTP headers for requests to your protected applications. For example, using command-line tools like curl or tcpdump combined with grep or similar tools:'}, {'type': 'list_item', 'content': 'Use curl to send a request with a malformed or suspicious cookie and observe if the X-Authentik-* headers are set: curl -v --cookie "malformed_cookie=1" https://your-protected-app.example.com'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP traffic and filter for missing X-Authentik-* headers in requests: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -B 5 -A 5 'Cookie:'"}, {'type': 'paragraph', 'content': 'If you observe requests with cookies but without the expected X-Authentik-* headers, this may indicate exploitation attempts or the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade authentik to version 2025.10.4 or 2025.12.4, where the vulnerability has been fixed.
If upgrading immediately is not possible, it is advised to disable reverse proxy entries for applications using forward authentication to prevent exploitation.
There are no known workarounds other than applying the patch or disabling the affected proxy configurations.