authentik Insufficient Session Verification Vulnerability in Remote Access Control Endpoint

A vulnerability exists in authentik, an open-source identity provider, in versions prior to 2025.6.3 and 2025.4.3. The issue arises in the Remote Access Control (RAC) endpoint, where a token created after authorizing access is sent to the client via the URL. This token is meant to be valid only for the session of the user who authorized the connection. However, the session validation check is missing, allowing a malicious user to copy the URL from a shared browser session and access the same session. This vulnerability could be exploited during activities like screensharing, where the URL containing the token is visible.

Impact

Exploitation of this vulnerability allows a malicious user to hijack a session by copying the URL containing the access token from a shared browser view, such as during screensharing.

Reproduction

To reproduce this vulnerability, authorize access to a RAC endpoint. Once the token is generated and sent via the URL, a malicious user can copy this URL from the browser. If the token is used to access the same session, it demonstrates the vulnerability. This can be tested by sharing the screen while the RAC session is active, allowing the URL to be seen and copied.

Remediation

Users can upgrade to authentik versions 2025.4.3 or 2025.6.3, which address this vulnerability. As an additional step, it is recommended to reduce the token's validity duration in the RAC Provider settings and to enable the option to delete authorization on disconnect.