CVE-2025-52553
📋 TL;DR
This vulnerability in authentik allows session hijacking through Remote Access Control (RAC) tokens. An attacker who obtains a RAC token URL (e.g., via screenshare) can use it to access the same session without proper session validation. This affects all authentik deployments using RAC endpoints prior to patched versions.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of authenticated sessions, allowing attackers to impersonate legitimate users and access sensitive systems or data through the identity provider.
Likely Case
Session hijacking during screenshares or when URLs are exposed, leading to unauthorized access to RAC-connected resources.
If Mitigated
Limited to token replay within very short windows if workarounds are applied, with proper session validation preventing unauthorized access.
🎯 Exploit Status
Exploitation requires obtaining a valid RAC token URL, which can occur through screenshare viewing, log exposure, or network interception. No special tools needed beyond URL access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.6.3 or 2025.4.3
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-wr3v-9p2c-chx7
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2025.6.3 or 2025.4.3 using your deployment method (Docker, Kubernetes, etc.). 3. Restart all authentik services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Reduce RAC Token Validity
allDecrease the connection expiry time for RAC tokens to limit the window for exploitation.
In authentik admin interface: Navigate to RAC Provider settings > Set Connection expiry to 'minutes=5' or lower
Enable Delete Authorization on Disconnect
allAutomatically revoke authorization when connections are terminated.
In authentik admin interface: Enable 'Delete authorization on disconnect' option in RAC Provider settings
🧯 If You Can't Patch
- Implement the workarounds: reduce token expiry to minimum and enable delete on disconnect
- Disable RAC functionality entirely if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check authentik version: if running any version before 2025.6.3 or 2025.4.3 AND RAC is enabled, the system is vulnerable.Check Version:
docker exec authentik authentik version (for Docker deployments) or check deployment manifests for version tagsVerify Fix Applied:
Confirm authentik version is 2025.6.3 or 2025.4.3 or later, and test that RAC tokens now properly validate user sessions.📡 Detection & Monitoring
Log Indicators:
- Multiple RAC connections from different IPs using same token
- RAC token usage after user session expiration
Network Indicators:
- Unusual RAC endpoint access patterns
- RAC token reuse across different source IPs
SIEM Query:
source="authentik" AND "RAC" AND (token_reuse OR session_mismatch)🔗 References
- https://github.com/goauthentik/authentik/commit/0e07414e9739b318cff9401a413a5fe849545325
- https://github.com/goauthentik/authentik/commit/65373ab21711d58147b5cb9276c5b5876baaa5eb
- https://github.com/goauthentik/authentik/commit/7100d3c6741853f1cfe3ea2073ba01823ab55caa
- https://github.com/goauthentik/authentik/security/advisories/GHSA-wr3v-9p2c-chx7
