CVE-2026-25748 is an improper authentication vulnerability (CWE-287) discovered in the open-source identity provider authentik. The issue arises when authentik is used as a forward authentication proxy in combination with reverse proxies such as Traefik or Caddy. Specifically, prior to versions 2025.10.4 and 2025.12.4, an attacker can craft a malformed cookie that bypasses the normal authentication process. When this malformed cookie is presented, authentik fails to set the expected X-Authentik-* headers that downstream applications rely on to verify authenticated sessions. The absence of these headers can lead to unauthorized access if the application trusts their presence for authentication decisions. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly accessible to attackers. The flaw affects authentik versions starting from 2025.10.0-rc1 up to but not including 2025.10.4 and 2025.12.4. The CVSS v3.1 base score is 8.6, indicating a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and a critical confidentiality impact with scope changed. No known exploits have been reported in the wild yet, but the potential for unauthorized access is significant. The issue was publicly disclosed in February 2026, and fixed versions are available, though no direct patch links were provided in the source data.

The primary impact of this vulnerability is unauthorized access to applications protected by authentik when used as a forward authentication proxy with Traefik or Caddy. Attackers can bypass authentication controls by sending a malformed cookie, potentially gaining access to sensitive data or systems that rely on authentik's authentication headers. This compromises confidentiality but does not directly affect integrity or availability. Organizations using affected versions risk data breaches, unauthorized resource access, and potential lateral movement within their networks. The ease of exploitation and remote attack vector increase the likelihood of exploitation attempts. Since authentik is often used in identity and access management, the breach of authentication mechanisms can undermine overall security postures, especially in environments relying heavily on single sign-on or proxy-based authentication. The vulnerability could be leveraged in targeted attacks against organizations with high-value assets or sensitive data, increasing the risk of espionage or data theft.

Organizations should immediately upgrade authentik to versions 2025.10.4 or 2025.12.4 where this vulnerability is fixed. Until upgrades can be applied, administrators should consider implementing additional validation on the reverse proxy (Traefik or Caddy) to detect and block malformed cookies that could trigger the bypass. Tightening access controls on applications relying on X-Authentik-* headers is recommended, including implementing fallback authentication checks or multi-factor authentication to reduce reliance on these headers alone. Monitoring logs for unusual authentication patterns or malformed cookie usage can help detect exploitation attempts. Network segmentation and limiting exposure of authentik proxy endpoints to trusted networks can reduce attack surface. Finally, conducting a thorough review of all applications that trust authentik headers is critical to ensure they do not implicitly grant access without further verification.