Authentication Bypass Vulnerability in authentik Identity Provider
CVE-2025-52553

5.5MEDIUM

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
27 June 2025

What is CVE-2025-52553?

The authentik identity provider has a security flaw that allows unauthorized access to user sessions due to a missing validation check on session tokens. After accessing a RAC endpoint, a token is created and sent to the client via URL, which can be exploited by malicious users to hijack active sessions, particularly during activities like screensharing. To mitigate this issue, users should upgrade to authentik versions 2025.4.3 or 2025.6.3, configure shorter token expiry times, and enable the option to delete authorization on disconnect.

Affected Version(s)

authentik >= 2025.6.0-rc1, < 2025.6.3 < 2025.6.0-rc1, 2025.6.3

authentik < 2025.4.3 < 2025.4.3

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/commit/0e07414e9...
x_refsource_MISC
https://github.com/goauthentik/authentik/commit/65373ab21...
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52553 : Authentication Bypass Vulnerability in authentik Identity Provider