BIT-authentik-2025-29928

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2025-29928.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-authentik-2025-29928

Aliases

CVE-2025-29928
GHSA-p6p8-f853-9g2p

Published

2026-04-16T23:36:25.530Z

Modified

2026-04-17T04:57:14.453277714Z

Summary

authentik's deletion of sessions did not revoke sessions when using database session storage

Details

authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.

Database specific

{
    "cpes": [
        "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:go:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / authentik

Package

Name: authentik
Purl: pkg:bitnami/authentik

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2024.12.4

Introduced

2025.0.0

Fixed

2025.2.3

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2025-29928.json"