CVE-2026-25748
published 2026-02-12CVE-2026-25748: authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.48%
37.7th percentile
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | caddyserver_caddy_v2_modules_caddyhttp_reverseproxy | >= 2.10.0 < 2.11.2 | 2.11.2 |
| goauthentik | authentik | < 2025.10.4 | 2025.10.4 |
| goauthentik | authentik | — | — |
| goauthentik | authentik | — | — |
| goauthentik | authentik | >= 2025.12.0 < 2025.12.4 | 2025.12.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
ghsa·2026-03-06
CVE-2026-30851 [HIGH] CWE-287 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
## Summary
Caddy's `forward_auth` directive with `copy_headers` generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name.
When an auth service returns `200 OK` without one of the configured `copy_headers` headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication token can inject arbitrary values for trusted identity headers, resulting in privilege escalation.
This is a regression introduced by PR #6608 in November 202
OSV
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
osv·2026-03-06
CVE-2026-30851 [HIGH] Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
## Summary
Caddy's `forward_auth` directive with `copy_headers` generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name.
When an auth service returns `200 OK` without one of the configured `copy_headers` headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication token can inject arbitrary values for trusted identity headers, resulting in privilege escalation.
This is a regression introduced by PR #6608 in November 202
No detection rules found.
No public exploits indexed.
2026-02-12
Published