Key Information Vulnerability Details CVE ID: CVE-2023-5253 Reporter: SPIBEL-Vorlage (https://github.com/spibel) Vulnerability Type: Insufficient session validation, targeting Remote Access Control (RAC) endpoint access Summary: After authorized access to the RAC endpoint, authentik generates a token intended for a single connection and sends it to the client. This token should be bound to the state of a user session valid only for the authorized connection, but such validation is currently missing. Impact: For example, during screen sharing using RAC, a malicious user could access the same session by copying the URL displayed in the browser. Fixed Versions: This issue is fixed in authentik versions 2025.4.3 and 2025.6.3. Code Changes Files Modified: - - - - - Main Changes: - Introduced the class to filter and validate tokens. - Updated test cases to ensure proper handling between different sessions. - Modified view logic to include the new token validation step. Documentation Updates Security Advisory: Added detailed vulnerability description, impact, and fix information in . Documentation Links: Updated links to the relevant CVE entry in . Additional Notes Workspace Recommendation: It is recommended to reduce the fisher validity period in the domain (e.g., set ) and enable the "Delete authorization on disconnect" option.