608f63e9a2
* website/docs: add reference to setting in CVE Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
26 lines
1.1 KiB
Markdown
26 lines
1.1 KiB
Markdown
# CVE-2025-29928
|
|
|
|
## Deletion of sessions did not revoke sessions when using database session storage
|
|
|
|
### Summary
|
|
|
|
When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
|
|
|
|
This also affects automatic session deletion when a user is set to inactive or a user is deleted.
|
|
|
|
The session backend is configured via [this](../../install-config/configuration/configuration.mdx#authentik_session_storage) setting; if this settings isn't set the sessions are stored in the cache (Redis), which is not affected by this.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.2.3 and 2024.12.4 fix this issue.
|
|
|
|
### Workarounds
|
|
|
|
Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|