CVE-2025-29928 in authentik
Summary
by MITRE • 03/28/2025
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability described in CVE-2025-29928 affects authentik, an open-source identity provider system that serves as a comprehensive solution for managing digital identities and access control. This security flaw represents a critical session management weakness that undermines the core security principles of authentication systems. The issue specifically targets deployments where authentik is configured to utilize database-based session storage rather than the default cache-based approach. When sessions are deleted through either the web interface or programmatic API calls, the system fails to properly invalidate the session tokens, allowing previously authenticated users to maintain continued access to the protected resources. This represents a fundamental breakdown in the session lifecycle management that directly compromises the principle of least privilege and proper access revocation.
The technical implementation flaw stems from improper session invalidation mechanisms within the database session storage module of authentik. When administrators or users attempt to terminate active sessions through standard interfaces, the system executes deletion operations on the session records but fails to propagate these changes to the actual authentication state. This creates a persistent access vector where compromised or terminated sessions remain functional, effectively allowing unauthorized continued access to protected resources. The vulnerability manifests as a failure in the session revocation process, which is typically implemented through token invalidation, database record marking, or cache invalidation mechanisms. The flaw demonstrates poor separation of concerns between session storage persistence and session state management, creating a scenario where session data can be removed from storage while maintaining active access rights.
From an operational impact perspective, this vulnerability creates a significant risk for organizations relying on authentik for identity management and access control. The continued access granted to deleted sessions enables potential attackers to maintain persistence within the system even after legitimate session termination procedures have been executed. This could allow unauthorized users to access sensitive information, perform privileged actions, or conduct further attacks using compromised session tokens. The vulnerability particularly affects environments where session management is critical for security operations, such as multi-tenant deployments, compliance-sensitive systems, or organizations with strict access control requirements. The impact extends beyond simple unauthorized access to include potential data breaches, privilege escalation opportunities, and violations of security policies that depend on proper session lifecycle management.
Organizations affected by this vulnerability should immediately implement the recommended mitigation strategies while planning for the necessary software upgrades. The patch versions 2024.12.4 and 2025.2.3 contain the necessary fixes to properly invalidate sessions when deletion operations are performed through both web and API interfaces. Until these upgrades can be implemented, switching to cache-based session storage serves as an effective temporary workaround, though this approach requires careful consideration of the operational implications. The cache-based approach will result in the complete loss of all existing sessions, requiring all users to re-authenticate, which may impact user experience and system availability during the transition period. This mitigation strategy aligns with security best practices for managing known vulnerabilities and demonstrates the importance of maintaining up-to-date security patches. The vulnerability also highlights the importance of proper session management implementation and the need for comprehensive testing of session lifecycle operations in authentication systems. Organizations should consider implementing additional monitoring and alerting mechanisms to detect unauthorized access attempts and ensure proper session invalidation occurs in their authentication environments. The issue represents a clear violation of security principle C-12 from the CWE taxonomy, which addresses improper session management, and may be categorized under ATT&CK technique T1566 related to credential access through session hijacking or manipulation.