Summary
With a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker.
Patches
authentik 2025.10.4 and 2025.12.4 fix this issue.
Impact
Depending on the behavior of applications (based on if they require an X-Authentik header being present) behind the Proxy Provider, attackers are potentially able to gain full access to the application.
Workarounds
There are no workarounds. If an upgrade is not possible, it is recommended to deactivate the reverse proxy entries for any applications using forward authentication until authentik can be upgraded.
For more information
If you have any questions or comments about this advisory:
imlonghao Reporter
Summary
With a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific
X-Authentik-*headers were set which depending on application can grant access to an attacker.Patches
authentik 2025.10.4 and 2025.12.4 fix this issue.
Impact
Depending on the behavior of applications (based on if they require an
X-Authentikheader being present) behind the Proxy Provider, attackers are potentially able to gain full access to the application.Workarounds
There are no workarounds. If an upgrade is not possible, it is recommended to deactivate the reverse proxy entries for any applications using forward authentication until authentik can be upgraded.
For more information
If you have any questions or comments about this advisory: