CVE-2025-29928
📋 TL;DR
authentik versions prior to 2024.12.4 and 2025.2.3 have a session management vulnerability when configured with database session storage. Attackers with existing sessions could maintain access even after administrators delete their sessions, potentially leading to unauthorized access. Only deployments using non-default database session storage are affected.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent access to authentik and downstream applications despite session revocation attempts, potentially leading to complete account takeover and privilege escalation.
Likely Case
Users who should have been logged out retain access to authentik and connected services, bypassing intended session termination.
If Mitigated
With cache-based session storage (default) or patched versions, sessions are properly revoked when deleted.
🎯 Exploit Status
Requires existing session and database session storage configuration. Attackers need to maintain session after administrator attempts to revoke it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12.4 or 2025.2.3
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p
Restart Required: No
Instructions:
1. Upgrade authentik to version 2024.12.4 or 2025.2.3. 2. Verify session deletion now properly revokes access. 3. No restart required for session storage changes.
🔧 Temporary Workarounds
Switch to cache-based session storage
allChange session storage from database to cache (default configuration) which properly handles session revocation
Update authentik configuration to use cache session backend instead of database session backend
🧯 If You Can't Patch
- Switch to cache-based session storage immediately (this will invalidate all existing sessions)
- Implement additional session monitoring and manual session termination procedures
🔍 How to Verify
Check if Vulnerable:
Check if authentik version is below 2024.12.4 or 2025.2.3 AND configured with database session storageCheck Version:
Check authentik version in admin interface or via API endpointVerify Fix Applied:
After upgrade, test session deletion via web interface or API and verify session is properly revoked📡 Detection & Monitoring
Log Indicators:
- Failed session revocation attempts
- Sessions persisting after deletion events
- Unexpected session activity
Network Indicators:
- Session tokens continuing to work after supposed revocation
SIEM Query:
authentik logs showing session deletion events followed by successful authentication with same session