CVE-2026-25748

Summary

With a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker.

Patches

authentik 2025.10.4 and 2025.12.4 fix this issue.

Impact

Depending on the behavior of applications (based on if they require an X-Authentik header being present) behind the Proxy Provider, attackers are potentially able to gain full access to the application.

Workarounds

There are no workarounds. If an upgrade is not possible, it is recommended to deactivate the reverse proxy entries for any applications using forward authentication until authentik can be upgraded.

For more information

If you have any questions or comments about this advisory:

Email us at [email protected].

Forward authentication bypass with malformed session cookie on Traefik and Caddy​

Summary​

Patches​

Impact​

Workarounds​

For more information​

Forward authentication bypass with malformed session cookie on Traefik and Caddy

Summary

Patches

Impact

Workarounds

For more information