CVE-2025-29928 Overview
CVE-2025-29928 is a session fixation vulnerability affecting authentik, an open-source identity provider. When authentik is configured to use database-based session storage (a non-default configuration), deleting sessions via the Web Interface or the API fails to properly revoke the session. This allows the original session holder to maintain unauthorized access to the authentik instance even after an administrator attempts to terminate their session.
Critical Impact
Attackers or compromised accounts can maintain persistent access to the identity provider even after session revocation attempts, potentially compromising all downstream applications relying on authentik for authentication.
Affected Products
- goauthentik authentik versions prior to 2024.12.4
- goauthentik authentik versions prior to 2025.2.3
- authentik instances configured with database session storage (non-default)
Discovery Timeline
- 2025-03-28 - CVE-2025-29928 published to NVD
- 2025-08-21 - Last updated in NVD database
Technical Details for CVE-2025-29928
Vulnerability Analysis
This vulnerability represents a session fixation flaw (CWE-384) in the authentik identity provider's session management subsystem. The core issue lies in the disconnect between session deletion operations performed through the administrative interface and the actual session invalidation in the underlying database storage backend.
When administrators attempt to revoke user sessions through the Web Interface or API, the deletion operation completes without error, giving the appearance of successful session termination. However, the session data persists in a state that allows the original session token to remain valid for authentication purposes. This creates a critical security gap where malicious actors or compromised accounts can maintain their authenticated state indefinitely.
The vulnerability specifically affects deployments using database session storage, which is not the default configuration but may be selected by organizations requiring persistent session data across server restarts or load-balanced environments.
Root Cause
The root cause stems from improper session invalidation logic when the database backend is used for session storage. The session deletion routine fails to properly synchronize the removal of session records with the session validation mechanism. While the administrative action appears to complete successfully, the underlying session state is not fully invalidated, allowing continued authentication with the existing session token.
Attack Vector
The attack vector is network-based, exploiting the session persistence flaw after an administrator attempts revocation. An attacker who has obtained valid session credentials—whether through session hijacking, credential theft, or legitimate access that should have been revoked—can continue to access authentik and any downstream applications that rely on it for authentication.
The attack requires user interaction (an administrator must attempt to revoke the session) and involves some complexity in maintaining the conditions for exploitation. However, since authentik serves as an identity provider, successful exploitation could grant the attacker access to multiple federated applications and services.
The vulnerability does not require prior privileges to exploit once a valid session exists. The scope is changed as the impact extends beyond authentik itself to all applications relying on it for identity services.
Detection Methods for CVE-2025-29928
Indicators of Compromise
- Active sessions that persist after administrative revocation attempts
- Users maintaining authenticated access despite appearing logged out in the admin console
- Session tokens being used after the corresponding session record shows as deleted
- Anomalous authentication activity from sessions that should have been terminated
Detection Strategies
- Monitor authentik audit logs for session deletion events and correlate with subsequent authentication attempts using the same session identifiers
- Implement alerting for authentication activity that occurs after session revocation timestamps
- Compare active database session records against session validation logs to identify orphaned or zombie sessions
- Review authentik configuration to identify instances using database session storage (SESSION_STORAGE=database)
Monitoring Recommendations
- Enable comprehensive audit logging for all session management operations in authentik
- Implement session activity monitoring to detect continued access after revocation attempts
- Configure alerts for authentication patterns that indicate session persistence beyond expected lifetimes
- Regularly audit the list of active sessions against expected user activity patterns
How to Mitigate CVE-2025-29928
Immediate Actions Required
- Upgrade authentik to version 2025.2.3 or 2024.12.4 immediately
- If upgrade is not immediately possible, switch to cache-based session storage as a temporary workaround
- Audit all active sessions and identify any that may have been compromised
- Force re-authentication for all users after applying the fix or switching storage backends
Patch Information
The vulnerability has been addressed in authentik versions 2025.2.3 and 2024.12.4. The fix ensures that session deletion operations properly invalidate sessions at the database level, preventing continued authentication with revoked session tokens.
For detailed information about the fix, refer to the GitHub Commit Overview and the GitHub Security Advisory.
Workarounds
- Switch from database session storage to cache-based session storage until the upgrade can be completed
- Note that switching storage backends will delete all existing sessions, requiring all users to re-authenticate
- Consider implementing additional session validation at the application layer for critical downstream services
- Implement network-level access controls to limit exposure while the vulnerability remains unpatched
# Configuration to switch to cache-based session storage
# In your authentik configuration (docker-compose.yml or environment variables)
AUTHENTIK_SESSION_STORAGE=cache
# After changing the configuration, restart authentik services
# Note: This will invalidate all existing sessions
docker-compose restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
