CVE-2025-52553: authentik RAC Token Exposure Vulnerability

This blog post discusses a vulnerability in authentik, an open-source identity provider, that could allow unauthorized access to user sessions. Specifically, the vulnerability resides in how Remote Access Credentials (RAC) tokens are handled. Let's dive into the details.

Vulnerability Details

CVE ID: CVE-2025-52553
Description: authentik versions prior to 2025.6.3 and 2025.4.3 incorrectly validate RAC tokens. When a user authorizes access to a RAC endpoint, authentik creates a token which is used for a single connection and included in the URL. Due to a missing check, this token can be used by other users if they obtain the URL, potentially granting them access to the original user's session.
CVSS Score and Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, Base Score: 5.5 (Medium). This score reflects that while no confidentiality, integrity, or availability of the *application* itself is directly impacted, the *scope* of the attack *changes*. The potential for significant damage is there because data integrity, confidentiality, and availability *within the application* could be compromised. An attacker needs some user interaction (Active) and certain Attendant conditions to be met for it to work.
Exploit Requirements: The attacker needs to obtain the URL containing the RAC token, typically through social engineering or observing a screenshare. User interaction is required as the victim needs to initiate the RAC connection and potentially share the URL.
Affected Vendor, Product, Version:
- Vendor: Goauthentik
- Product: authentik
- Versions: Prior to 2025.6.3 and 2025.4.3
CWE: CWE-287 - Improper Authentication. This means the system does not adequately verify the identity of a user or process, allowing unauthorized access.

Timeline of Events

Date of Vulnerability Discovery: Unknown
Date of Patch Release: 2025-06-XX (Implied by fix versions)
CVE Assigned: 2025-06-27

Exploitability & Real-World Risk

The exploitability of this vulnerability is moderate. An attacker would need to gain access to the URL containing the RAC token. In a real-world scenario, this could happen during a screenshare where the URL is visible or if a user inadvertently shares the URL. The risk is significant if authentik is used to protect sensitive resources, as an attacker could potentially gain unauthorized access to those resources by hijacking the RAC session.

Recommendations

Upgrade: Upgrade to authentik version 2025.6.3 or 2025.4.3, or later.
Workaround: Decrease the duration a token is valid for in the RAC Provider settings (e.g., set Connection expiry to `minutes=5`).
Enable Delete Authorization on Disconnect: Enable the option to delete authorization on disconnect in the RAC Provider settings.

Technical Insight

The vulnerability stems from a missing check that validates whether the RAC token is being used by the same user who initially authorized the connection. This allows an attacker who obtains the token to bypass the authentication process and impersonate the original user.

Credit to Researcher(s)

GitHub Security Advisory

CVE-2025-52553: authentik RAC Token Exposure Vulnerability

CVE-2025-52553: authentik RAC Token Exposure Vulnerability

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form