security: fix CVE-2025-29928 (#13695) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot]
committed by
GitHub
GitHub
parent
cc214a0eb7
commit
d6c35787b0
23
website/docs/security/cves/CVE-2025-29928.md
Normal file
23
website/docs/security/cves/CVE-2025-29928.md
Normal file
@ -0,0 +1,23 @@
|
||||
# CVE-2025-29928
|
||||
|
||||
## Deletion of sessions did not revoke sessions when using database session storage
|
||||
|
||||
### Summary
|
||||
|
||||
When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
|
||||
|
||||
This also affects automatic session deletion when a user is set to inactive or a user is deleted.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2025.2.3 and 2024.12.4 fix this issue.
|
||||
|
||||
### Workarounds
|
||||
|
||||
Switching to the cache-based session storage until the authentik instance can be upgraded is recommended.
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|
||||
Reference in New Issue
Block a user