CVE-2025-29928

CVE-2025-29928 affects authentik, an open-source identity provider, specifically in configurations using database-backed session storage, which is non-default. In versions prior to 2024.12.4 and 2025.2.3, attempts to delete sessions through the web interface or API fail to revoke them, allowing the session holder to retain unauthorized access to authentik. The vulnerability is classified under CWE-384 (Session Fixation) with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, changed scope, and significant confidentiality and integrity impacts.

Attackers require no privileges (PR:N) but must overcome high complexity (AC:H) and rely on user interaction (UI:R), such as tricking an administrator or user into performing a session deletion action via the interface or API. Successful exploitation enables persistent access for a compromised session despite revocation efforts, potentially allowing unauthorized data access or modifications with high confidentiality and integrity consequences.

The authentik security advisory (GHSA-p6p8-f853-9g2p) and related commit (71294b7deb6eb5726a782de83b957eaf25fc4cf6) confirm fixes in versions 2024.12.4 and 2025.2.3. As a temporary mitigation, administrators should switch to cache-based session storage, though this invalidates all existing sessions and requires user re-authentication. Upgrading to a patched version is the permanent solution.