Cyber Resilience

CVE-2026-25748

High

Published: 12 February 2026

Published
12 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0048 37.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25748 is a high-severity Improper Authentication (CWE-287) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25748 is an authentication bypass vulnerability (CWE-287) in authentik, an open-source identity provider. It affects versions prior to 2025.10.4 and 2025.12.4, specifically when using forward authentication in the authentik Proxy Provider alongside Traefik or Caddy as reverse proxies. A malformed cookie can prevent the setting of authentik-specific X-Authentik-* headers, allowing unauthorized access depending on the protected application's configuration. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, and scope change with high confidentiality impact.

Any unauthenticated attacker with network access can exploit this vulnerability by crafting and submitting a malformed cookie to the reverse proxy. This bypasses authentik's authentication checks, resulting in the absence of required X-Authentik-* headers. Consequently, the attacker may gain unauthorized access to resources protected by the proxy, with the extent of access determined by the downstream application's reliance on those headers.

Authentik addresses this issue in releases 2025.10.4 and 2025.12.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fj56-5763-j8pp). Security practitioners should upgrade to these patched versions immediately when using the affected Proxy Provider configuration with Traefik or Caddy.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse…

more

proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct authentication bypass in public-facing authentik Proxy Provider (with Traefik/Caddy) allows unauthenticated network attackers to gain unauthorized access to protected applications via malformed cookie; maps cleanly to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25922Same product: Goauthentik Authentik
CVE-2026-49443Same product: Goauthentik Authentik
CVE-2026-49448Same product: Goauthentik Authentik
CVE-2026-25227Same product: Goauthentik Authentik
CVE-2026-47201Same product: Goauthentik Authentik
CVE-2025-29928Same product: Goauthentik Authentik
CVE-2026-42849Same product: Goauthentik Authentik
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287

Affected Assets

goauthentik
authentik
≤ 2025.10.4 · 2025.12.0 — 2025.12.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in authentik by upgrading to patched versions 2025.10.4 or 2025.12.4 directly eliminates the authentication bypass via malformed cookies.

prevent

Validating cookie inputs at entry points in the reverse proxy or authentik prevents malformed cookies from bypassing authentication and omitting required X-Authentik-* headers.

prevent

Enforcing access control policies in the proxy provider ensures unauthorized access is denied when authentik-specific headers are absent due to malformed cookies.

References