CVE-2026-25748
Published: 12 February 2026
Summary
CVE-2026-25748 is a high-severity Improper Authentication (CWE-287) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in authentik by upgrading to patched versions 2025.10.4 or 2025.12.4 directly eliminates the authentication bypass via malformed cookies.
Validating cookie inputs at entry points in the reverse proxy or authentik prevents malformed cookies from bypassing authentication and omitting required X-Authentik-* headers.
Enforcing access control policies in the proxy provider ensures unauthorized access is denied when authentik-specific headers are absent due to malformed cookies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authentication bypass in public-facing authentik Proxy Provider (with Traefik/Caddy) allows unauthenticated network attackers to gain unauthorized access to protected applications via malformed cookie; maps cleanly to T1190 Exploit Public-Facing Application.
NVD Description
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse…
more
proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.
Deeper analysisAI
CVE-2026-25748 is an authentication bypass vulnerability (CWE-287) in authentik, an open-source identity provider. It affects versions prior to 2025.10.4 and 2025.12.4, specifically when using forward authentication in the authentik Proxy Provider alongside Traefik or Caddy as reverse proxies. A malformed cookie can prevent the setting of authentik-specific X-Authentik-* headers, allowing unauthorized access depending on the protected application's configuration. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, and scope change with high confidentiality impact.
Any unauthenticated attacker with network access can exploit this vulnerability by crafting and submitting a malformed cookie to the reverse proxy. This bypasses authentik's authentication checks, resulting in the absence of required X-Authentik-* headers. Consequently, the attacker may gain unauthorized access to resources protected by the proxy, with the extent of access determined by the downstream application's reliance on those headers.
Authentik addresses this issue in releases 2025.10.4 and 2025.12.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fj56-5763-j8pp). Security practitioners should upgrade to these patched versions immediately when using the affected Proxy Provider configuration with Traefik or Caddy.
Details
- CWE(s)