CVE-2026-25748 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: February 13, 2026
authentik - Authentication Bypass
Overview
authentik prior to 2025.10.4 and 2025.12.4 contains an authentication bypass caused by malformed cookies in forward authentication with Proxy Provider and reverse proxies, letting attackers gain unauthorized access by bypassing authentik-specific headers, exploit requires use of Traefik or Caddy reverse proxy.
Severity & Score
Impact
Attackers can bypass authentication and gain unauthorized access to protected resources.
Mitigation
Update to versions 2025.10.4 or 2025.12.4 or later.
References
Social Media Activity(2 posts)
🔐 CVE-2026-25748 CVE-2026-25748 📊 CVSS Score: 8.6 ⚠️ Severity: High 📅 Published: 02/12/2026, 08:16 PM 🏷️ Aliases: CVE-2026-25748 🛡️ CWE: CWE-287 🔗 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N ([email protected]) 📚 References: https://github.com/goauthentik/authentik/releases/tag/version/2025.10.4 https://github.com/goauthentik/authentik/releases/tag/version/2025.12.4 🔗 https://hecate.pw/vulnerability/CVE-2026-25748 #cve #vulnerability #hecate
View original post
🟠 CVE-2026-25748 - High (8.6) authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traef... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25748/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-25748
- Severity
- High
- CVSS Score
- 8.6
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 2.6%
- Social Posts
- 2
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N