Authentication Bypass in Authentik Due to Malformed Cookie with Traefik or Caddy
CVE-2026-25748

8.6HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
12 February 2026

What is CVE-2026-25748?

A vulnerability in Authentic's Proxy Provider component allows for authentication bypass when malformed cookies are used with reverse proxies like Traefik or Caddy. Prior to versions 2025.10.4 and 2025.12.4, a maliciously crafted cookie could prevent the setting of critical X-Authentik-* headers, granting unauthorized access to an attacker. Users are advised to update to the latest versions to mitigate this risk.

Affected Version(s)

authentik >= 2025.10.0-rc1, < 2025.10.4 < 2025.10.0-rc1, 2025.10.4

authentik >= 2025.10.0-rc1, < 2025.12.4 < 2025.10.0-rc1, 2025.12.4

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.