d6c35787b0
security: fix CVE-2025-29928 (#13695) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
24 lines
813 B
Markdown
24 lines
813 B
Markdown
# CVE-2025-29928
|
|
|
|
## Deletion of sessions did not revoke sessions when using database session storage
|
|
|
|
### Summary
|
|
|
|
When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
|
|
|
|
This also affects automatic session deletion when a user is set to inactive or a user is deleted.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.2.3 and 2024.12.4 fix this issue.
|
|
|
|
### Workarounds
|
|
|
|
Switching to the cache-based session storage until the authentik instance can be upgraded is recommended.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|