Identity
CVE-2025-29928: authentik Session Revocation Vulnerability
Executive Summary CVE-2025-29928 describes a critical vulnerability in authentik, an open-source identity provider. When authentik is configured to use database session storage (a non-default configuration), deleting user sessions through the web interface or API does not effectively revoke those sessions. Consequently, users whose sessions should have been terminated retain unauthorized