CVE-2025-52553: CWE-287: Improper Authentication in goauthentik authentik
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.
AI Analysis
Technical Summary
CVE-2025-52553 is a medium-severity vulnerability classified under CWE-287 (Improper Authentication) affecting the open-source identity provider software authentik, developed by goauthentik. The vulnerability exists in versions prior to 2025.4.3 and between 2025.6.0-rc1 and 2025.6.3. The issue arises in the Remote Access Connection (RAC) endpoint authorization process. When a user authorizes access to a RAC endpoint, authentik generates a token intended for single-session use, which is transmitted to the client via the URL. However, the software fails to verify that the token is bound to the session of the user who authorized it. This missing validation allows an attacker who can observe or obtain the URL (for example, during a screenshare session) to reuse the token and gain unauthorized access to the same session. This flaw effectively enables session hijacking through token reuse without proper authentication checks. The vulnerability does not require prior authentication but does require user interaction (e.g., viewing or copying the URL). The CVSS 4.0 base score is 5.5 (medium), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high scope impact on confidentiality, integrity, and availability. The issue is fixed in authentik versions 2025.4.3 and 2025.6.3. As a mitigation, reducing the token validity duration (e.g., setting connection expiry to 5 minutes) and enabling the 'Delete authorization on disconnect' option are recommended to limit exposure. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations using authentik as their identity provider, this vulnerability poses a risk of unauthorized session access, particularly in environments where RAC endpoints are used for remote access or screen sharing. An attacker who can observe or intercept the URL containing the token could impersonate the authorized user, potentially gaining access to sensitive systems or data. This could lead to confidentiality breaches, unauthorized actions, and disruption of services. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government, where identity and session integrity are critical. The vulnerability could undermine trust in remote collaboration tools and identity management, increasing the risk of insider threats or external attackers exploiting social engineering or accidental information disclosure (e.g., during screen sharing). Although no active exploits are known, the ease of token capture during normal user activities makes this a practical threat if unmitigated.
Mitigation Recommendations
European organizations should promptly upgrade authentik to versions 2025.4.3 or 2025.6.3 where the vulnerability is patched. Until upgrades are applied, administrators should configure the RAC Provider settings to minimize token exposure by reducing the connection expiry time to a short duration such as 5 minutes, limiting the window for token reuse. Enabling the 'Delete authorization on disconnect' option is critical to ensure tokens are invalidated immediately after session termination. Additionally, organizations should enforce strict operational security policies around screen sharing and URL sharing, including user training to avoid exposing sensitive URLs. Network monitoring for unusual RAC session access patterns and implementing multi-factor authentication (MFA) for remote access sessions can provide additional layers of defense. Finally, reviewing logs for unauthorized access attempts and integrating authentik with centralized security information and event management (SIEM) systems can help detect exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2025-52553: CWE-287: Improper Authentication in goauthentik authentik
Description
authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.
AI-Powered Analysis
Technical Analysis
CVE-2025-52553 is a medium-severity vulnerability classified under CWE-287 (Improper Authentication) affecting the open-source identity provider software authentik, developed by goauthentik. The vulnerability exists in versions prior to 2025.4.3 and between 2025.6.0-rc1 and 2025.6.3. The issue arises in the Remote Access Connection (RAC) endpoint authorization process. When a user authorizes access to a RAC endpoint, authentik generates a token intended for single-session use, which is transmitted to the client via the URL. However, the software fails to verify that the token is bound to the session of the user who authorized it. This missing validation allows an attacker who can observe or obtain the URL (for example, during a screenshare session) to reuse the token and gain unauthorized access to the same session. This flaw effectively enables session hijacking through token reuse without proper authentication checks. The vulnerability does not require prior authentication but does require user interaction (e.g., viewing or copying the URL). The CVSS 4.0 base score is 5.5 (medium), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high scope impact on confidentiality, integrity, and availability. The issue is fixed in authentik versions 2025.4.3 and 2025.6.3. As a mitigation, reducing the token validity duration (e.g., setting connection expiry to 5 minutes) and enabling the 'Delete authorization on disconnect' option are recommended to limit exposure. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations using authentik as their identity provider, this vulnerability poses a risk of unauthorized session access, particularly in environments where RAC endpoints are used for remote access or screen sharing. An attacker who can observe or intercept the URL containing the token could impersonate the authorized user, potentially gaining access to sensitive systems or data. This could lead to confidentiality breaches, unauthorized actions, and disruption of services. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government, where identity and session integrity are critical. The vulnerability could undermine trust in remote collaboration tools and identity management, increasing the risk of insider threats or external attackers exploiting social engineering or accidental information disclosure (e.g., during screen sharing). Although no active exploits are known, the ease of token capture during normal user activities makes this a practical threat if unmitigated.
Mitigation Recommendations
European organizations should promptly upgrade authentik to versions 2025.4.3 or 2025.6.3 where the vulnerability is patched. Until upgrades are applied, administrators should configure the RAC Provider settings to minimize token exposure by reducing the connection expiry time to a short duration such as 5 minutes, limiting the window for token reuse. Enabling the 'Delete authorization on disconnect' option is critical to ensure tokens are invalidated immediately after session termination. Additionally, organizations should enforce strict operational security policies around screen sharing and URL sharing, including user training to avoid exposing sensitive URLs. Network monitoring for unusual RAC session access patterns and implementing multi-factor authentication (MFA) for remote access sessions can provide additional layers of defense. Finally, reviewing logs for unauthorized access attempts and integrating authentik with centralized security information and event management (SIEM) systems can help detect exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-18T03:55:52.034Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 685eb7aa6f40f0eb726448b8
Added to database: 6/27/2025, 3:24:26 PM
Last enriched: 6/27/2025, 3:39:41 PM
Last updated: 7/11/2025, 10:22:50 AM
Views: 16
Related Threats
CVE-2025-7475: SQL Injection in code-projects Simple Car Rental System
MediumCVE-2025-7474: SQL Injection in code-projects Job Diary
MediumCVE-2025-7471: SQL Injection in code-projects Modern Bag
MediumCVE-2025-36104: CWE-277 Insecure Inherited Permissions in IBM Storage Scale
MediumCVE-2025-7470: Unrestricted Upload in Campcodes Sales and Inventory System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.