VYPR
Unrated severityNVD Advisory· Published Feb 12, 2026· Updated Feb 17, 2026

authentik has a forward authentication bypass with broken cookie

CVE-2026-25748

Description

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • authentik/authentikllm-fuzzy2 versions
    >= 2025.10.0, < 2025.10.4; >= 2025.12.0, < 2025.12.4+ 1 more
    • (no CPE)range: >= 2025.10.0, < 2025.10.4; >= 2025.12.0, < 2025.12.4
    • (no CPE)range: >= 2025.10.0-rc1, < 2025.10.4
  • osv-coords
    Range: >= 2025.10.0, < 2025.12.4

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.