cbcvebase.
CVE-2026-25748
published 2026-02-12

CVE-2026-25748: authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using…

PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.48%
37.7th percentile
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
github.comcaddyserver_caddy_v2_modules_caddyhttp_reverseproxy>= 2.10.0 < 2.11.22.11.2
goauthentikauthentik< 2025.10.42025.10.4
goauthentikauthentik
goauthentikauthentik
goauthentikauthentik>= 2025.12.0 < 2025.12.42025.12.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.