Skip to main content

CVE-2025-52553: CWE-287: Improper Authentication in goauthentik authentik

Medium
VulnerabilityCVE-2025-52553cvecve-2025-52553cwe-287
Published: Fri Jun 27 2025 (06/27/2025, 15:03:13 UTC)
Source: CVE Database V5
Vendor/Project: goauthentik
Product: authentik

Description

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.

AI-Powered Analysis

AILast updated: 06/27/2025, 15:39:41 UTC

Technical Analysis

CVE-2025-52553 is a medium-severity vulnerability classified under CWE-287 (Improper Authentication) affecting the open-source identity provider software authentik, developed by goauthentik. The vulnerability exists in versions prior to 2025.4.3 and between 2025.6.0-rc1 and 2025.6.3. The issue arises in the Remote Access Connection (RAC) endpoint authorization process. When a user authorizes access to a RAC endpoint, authentik generates a token intended for single-session use, which is transmitted to the client via the URL. However, the software fails to verify that the token is bound to the session of the user who authorized it. This missing validation allows an attacker who can observe or obtain the URL (for example, during a screenshare session) to reuse the token and gain unauthorized access to the same session. This flaw effectively enables session hijacking through token reuse without proper authentication checks. The vulnerability does not require prior authentication but does require user interaction (e.g., viewing or copying the URL). The CVSS 4.0 base score is 5.5 (medium), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high scope impact on confidentiality, integrity, and availability. The issue is fixed in authentik versions 2025.4.3 and 2025.6.3. As a mitigation, reducing the token validity duration (e.g., setting connection expiry to 5 minutes) and enabling the 'Delete authorization on disconnect' option are recommended to limit exposure. No known exploits are reported in the wild at this time.

Potential Impact

For European organizations using authentik as their identity provider, this vulnerability poses a risk of unauthorized session access, particularly in environments where RAC endpoints are used for remote access or screen sharing. An attacker who can observe or intercept the URL containing the token could impersonate the authorized user, potentially gaining access to sensitive systems or data. This could lead to confidentiality breaches, unauthorized actions, and disruption of services. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government, where identity and session integrity are critical. The vulnerability could undermine trust in remote collaboration tools and identity management, increasing the risk of insider threats or external attackers exploiting social engineering or accidental information disclosure (e.g., during screen sharing). Although no active exploits are known, the ease of token capture during normal user activities makes this a practical threat if unmitigated.

Mitigation Recommendations

European organizations should promptly upgrade authentik to versions 2025.4.3 or 2025.6.3 where the vulnerability is patched. Until upgrades are applied, administrators should configure the RAC Provider settings to minimize token exposure by reducing the connection expiry time to a short duration such as 5 minutes, limiting the window for token reuse. Enabling the 'Delete authorization on disconnect' option is critical to ensure tokens are invalidated immediately after session termination. Additionally, organizations should enforce strict operational security policies around screen sharing and URL sharing, including user training to avoid exposing sensitive URLs. Network monitoring for unusual RAC session access patterns and implementing multi-factor authentication (MFA) for remote access sessions can provide additional layers of defense. Finally, reviewing logs for unauthorized access attempts and integrating authentik with centralized security information and event management (SIEM) systems can help detect exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-18T03:55:52.034Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685eb7aa6f40f0eb726448b8

Added to database: 6/27/2025, 3:24:26 PM

Last enriched: 6/27/2025, 3:39:41 PM

Last updated: 7/11/2025, 10:22:50 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats