14038ba8d2
* website/docs: configuration: remove deprecated key for session storage location Signed-off-by: Dominic R <dominic@sdko.org> * Update default.yml Signed-off-by: Dominic R <dominic@sdko.org> * cve fix Signed-off-by: Dominic R <dominic@sdko.org> * Update CVE-2025-29928.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Dominic R <dominic@sdko.org> * add * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Dominic R <dominic@sdko.org> * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * Update website/docs/install-config/configuration/configuration.mdx Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * Update website/docs/install-config/configuration/configuration.mdx Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Dominic R <dominic@sdko.org> * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * Update website/docs/security/cves/CVE-2025-29928.md Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * bump build --------- Signed-off-by: Dominic R <dominic@sdko.org> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.io>
30 lines
1.3 KiB
Markdown
30 lines
1.3 KiB
Markdown
# CVE-2025-29928
|
|
|
|
## Deletion of sessions did not revoke sessions when using database session storage
|
|
|
|
### ADDENDUM May 30, 2025
|
|
|
|
As of version 2025.4, the option to store sessions in cache has been removed; sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
|
|
|
|
### Summary
|
|
|
|
When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
|
|
|
|
This also affects automatic session deletion when a user is set to inactive or a user is deleted.
|
|
|
|
The session backend was configured via the `AUTHENTIK_SESSION_STORAGE` setting, which was removed in version 2025.4.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.2.3 and 2024.12.4 fix this issue.
|
|
|
|
### Workarounds
|
|
|
|
Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|