From 7100d3c6741853f1cfe3ea2073ba01823ab55caa Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Fri, 27 Jun 2025 15:26:39 +0200
Subject: [PATCH] security: fix CVE-2025-52553 (#15289)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/providers/rac/consumer_client.py   |  5 +++-
 authentik/providers/rac/tests/test_views.py  | 19 ++++++++++++++
 authentik/providers/rac/views.py             |  5 +++-
 website/docs/security/cves/CVE-2025-52553.md | 27 ++++++++++++++++++++
 website/sidebars/docs.mjs                    |  2 +-
 5 files changed, 55 insertions(+), 3 deletions(-)
 create mode 100644 website/docs/security/cves/CVE-2025-52553.md

diff --git a/authentik/providers/rac/consumer_client.py b/authentik/providers/rac/consumer_client.py
index b55059ec20..02221ecfe7 100644
--- a/authentik/providers/rac/consumer_client.py
+++ b/authentik/providers/rac/consumer_client.py
@@ -66,7 +66,10 @@ class RACClientConsumer(AsyncWebsocketConsumer):
     def init_outpost_connection(self):
         """Initialize guac connection settings"""
         self.token = (
-            ConnectionToken.filter_not_expired(token=self.scope["url_route"]["kwargs"]["token"])
+            ConnectionToken.filter_not_expired(
+                token=self.scope["url_route"]["kwargs"]["token"],
+                session__session__session_key=self.scope["session"].session_key,
+            )
             .select_related("endpoint", "provider", "session", "session__user")
             .first()
         )
diff --git a/authentik/providers/rac/tests/test_views.py b/authentik/providers/rac/tests/test_views.py
index 80778d2ebc..39dff1bd3c 100644
--- a/authentik/providers/rac/tests/test_views.py
+++ b/authentik/providers/rac/tests/test_views.py
@@ -87,3 +87,22 @@ class TestRACViews(APITestCase):
         )
         body = loads(flow_response.content)
         self.assertEqual(body["component"], "ak-stage-access-denied")
+
+    def test_different_session(self):
+        """Test request"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_rac:start",
+                kwargs={"app": self.app.slug, "endpoint": str(self.endpoint.pk)},
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        flow_response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+        body = loads(flow_response.content)
+        next_url = body["to"]
+        self.client.logout()
+        final_response = self.client.get(next_url)
+        self.assertEqual(final_response.url, reverse("authentik_core:if-user"))
diff --git a/authentik/providers/rac/views.py b/authentik/providers/rac/views.py
index b9a5b5f8a9..334edba760 100644
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@@ -68,7 +68,10 @@ class RACInterface(InterfaceView):
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         # Early sanity check to ensure token still exists
-        token = ConnectionToken.filter_not_expired(token=self.kwargs["token"]).first()
+        token = ConnectionToken.filter_not_expired(
+            token=self.kwargs["token"],
+            session__session__session_key=request.session.session_key,
+        ).first()
         if not token:
             return redirect("authentik_core:if-user")
         self.token = token
diff --git a/website/docs/security/cves/CVE-2025-52553.md b/website/docs/security/cves/CVE-2025-52553.md
new file mode 100644
index 0000000000..36a91fa05f
--- /dev/null
+++ b/website/docs/security/cves/CVE-2025-52553.md
@@ -0,0 +1,27 @@
+# CVE-2025-52553
+
+_Reported by [SPIEGEL-Verlag](https://gruppe.spiegel.de)_
+
+## Insufficient Session verification for Remote Access Control endpoint access
+
+### Summary
+
+After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is currently missing.
+
+### Patches
+
+authentik 2025.4.3 and 2025.6.3 fix this issue.
+
+### Impact
+
+When for example using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser.
+
+### Workarounds
+
+As a workaround it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set **Connection expiry** to `minutes=5` for example). We also recommend enabling the option **Delete authorization on disconnect**.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
diff --git a/website/sidebars/docs.mjs b/website/sidebars/docs.mjs
index 3f853cf68b..4e20a6f737 100644
--- a/website/sidebars/docs.mjs
+++ b/website/sidebars/docs.mjs
@@ -710,7 +710,7 @@ const items = [
                     {
                         type: "category",
                         label: "2025",
-                        items: ["security/cves/CVE-2025-29928"],
+                        items: ["security/cves/CVE-2025-52553", "security/cves/CVE-2025-29928"],
                     },
                     {
                         type: "category",