24 lines
813 B
Markdown
24 lines
813 B
Markdown
# CVE-2025-29928
|
|
|
|
## Deletion of sessions did not revoke sessions when using database session storage
|
|
|
|
### Summary
|
|
|
|
When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
|
|
|
|
This also affects automatic session deletion when a user is set to inactive or a user is deleted.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.2.3 and 2024.12.4 fix this issue.
|
|
|
|
### Workarounds
|
|
|
|
Switching to the cache-based session storage until the authentik instance can be upgraded is recommended.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|