CVE-2025-29928HIGH 8.0EPSS p25.5%

CVE-2025-29928CVE-2025-29928

Description

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS0.34% probability of exploitation · percentile 25.5% · 2026-06-19T12:03:05Z
Published2025-03-28
Last modified2025-08-21

Underlying weaknesses· 1

CWE-384

References

  1. https://github.com/goauthentik/authentik/commit/71294b7deb6eb5726a782de83b957eaf25fc4cf6
  2. https://github.com/goauthentik/authentik/security/advisories/GHSA-p6p8-f853-9g2p

1

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-3840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-52553
CVE
CVE-2026-49443
CVE
CVE-2026-25922
CVE
CVE-2026-49448
CVE
CVE-2026-40165
CVE
CVE-2026-41577
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.