CVE-2025-53942
📋 TL;DR
This vulnerability allows deactivated users who registered via OAuth/SAML to retain partial system access in authentik. They can authorize applications if they know the application URL, despite being in a half-authenticated state where API access is blocked. This affects authentik versions 2025.4.4 and earlier, and 2025.6.0-rc1 through 2025.6.3.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Deactivated users could access sensitive applications and data they should no longer have permission to use, potentially leading to unauthorized data exposure or privilege escalation.
Likely Case
Deactivated users with knowledge of application URLs could access applications they previously used, bypassing intended access controls.
If Mitigated
With proper controls, impact is limited as users need specific application URLs and cannot access APIs, but unauthorized application access remains possible.
🎯 Exploit Status
Exploitation requires deactivated user credentials and knowledge of application URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.4.4 and 2025.6.4
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42
Restart Required: Yes
Instructions:
1. Update authentik to version 2025.4.4 or 2025.6.4. 2. Restart the authentik service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Expression Policy Workaround
allAdd an expression policy to the user login stage on the respective authentication flow with the expression 'return request.context["pending_user"].is_active' to ensure only active users can proceed.
🧯 If You Can't Patch
- Implement the expression policy workaround described above.
- Monitor logs for unauthorized access attempts by deactivated users and review user access controls.
🔍 How to Verify
Check if Vulnerable:
Check authentik version via admin interface or command line. If version is 2025.4.4 or earlier, or between 2025.6.0-rc1 and 2025.6.3, the system is vulnerable.Check Version:
Check via authentik admin interface or run 'ak version' if using CLI.Verify Fix Applied:
After patching, verify the version is 2025.4.4 or 2025.6.4. Test with a deactivated OAuth/SAML user to ensure they cannot access applications.📡 Detection & Monitoring
Log Indicators:
- Log entries showing deactivated users attempting or succeeding in accessing applications via OAuth/SAML flows.
Network Indicators:
- Unusual authentication requests from deactivated user accounts to application endpoints.
SIEM Query:
source="authentik" AND (user_status="deactivated" OR user_active="false") AND event_type="authentication_success"🔗 References
- https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd
- https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f
- https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab
- https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42
