CVE-2025-52553 is a medium-severity vulnerability classified under CWE-287 (Improper Authentication) affecting the open-source identity provider software authentik, developed by goauthentik. The vulnerability exists in versions prior to 2025.4.3 and between 2025.6.0-rc1 and 2025.6.3. The issue arises in the Remote Access Connection (RAC) endpoint authorization process. When a user authorizes access to a RAC endpoint, authentik generates a token intended for single-session use, which is transmitted to the client via the URL. However, the software fails to verify that the token is bound to the session of the user who authorized it. This missing validation allows an attacker who can observe or obtain the URL (for example, during a screenshare session) to reuse the token and gain unauthorized access to the same session. This flaw effectively enables session hijacking through token reuse without proper authentication checks. The vulnerability does not require prior authentication but does require user interaction (e.g., viewing or copying the URL). The CVSS 4.0 base score is 5.5 (medium), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high scope impact on confidentiality, integrity, and availability. The issue is fixed in authentik versions 2025.4.3 and 2025.6.3. As a mitigation, reducing the token validity duration (e.g., setting connection expiry to 5 minutes) and enabling the 'Delete authorization on disconnect' option are recommended to limit exposure. No known exploits are reported in the wild at this time.

For European organizations using authentik as their identity provider, this vulnerability poses a risk of unauthorized session access, particularly in environments where RAC endpoints are used for remote access or screen sharing. An attacker who can observe or intercept the URL containing the token could impersonate the authorized user, potentially gaining access to sensitive systems or data. This could lead to confidentiality breaches, unauthorized actions, and disruption of services. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government, where identity and session integrity are critical. The vulnerability could undermine trust in remote collaboration tools and identity management, increasing the risk of insider threats or external attackers exploiting social engineering or accidental information disclosure (e.g., during screen sharing). Although no active exploits are known, the ease of token capture during normal user activities makes this a practical threat if unmitigated.

European organizations should promptly upgrade authentik to versions 2025.4.3 or 2025.6.3 where the vulnerability is patched. Until upgrades are applied, administrators should configure the RAC Provider settings to minimize token exposure by reducing the connection expiry time to a short duration such as 5 minutes, limiting the window for token reuse. Enabling the 'Delete authorization on disconnect' option is critical to ensure tokens are invalidated immediately after session termination. Additionally, organizations should enforce strict operational security policies around screen sharing and URL sharing, including user training to avoid exposing sensitive URLs. Network monitoring for unusual RAC session access patterns and implementing multi-factor authentication (MFA) for remote access sessions can provide additional layers of defense. Finally, reviewing logs for unauthorized access attempts and integrating authentik with centralized security information and event management (SIEM) systems can help detect exploitation attempts.