CVE-2025-64521
📋 TL;DR
This vulnerability allows deactivated service accounts in authentik to still authenticate via OAuth client credentials, bypassing account status controls. It affects authentik deployments using OAuth provider authentication with client_id and client_secret. Only authentik versions before 2025.8.5 and 2025.10.2 are vulnerable.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
An attacker with knowledge of deactivated service account credentials could gain unauthorized access to federated systems, potentially accessing sensitive resources or performing actions with the account's remaining permissions.
Likely Case
Accidental or intentional use of deactivated service accounts that should have been disabled, leading to unauthorized access to integrated applications or services.
If Mitigated
No impact if proper patching or workarounds are implemented, as authentication checks will properly validate account activation status.
🎯 Exploit Status
Exploitation requires knowledge of deactivated service account credentials. The vulnerability is straightforward to exploit once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.8.5 or 2025.10.2
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r
Restart Required: Yes
Instructions:
1. Update authentik to version 2025.8.5 or 2025.10.2 using your deployment method (Docker, Kubernetes, etc.). 2. Restart the authentik services. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Add explicit policy check
allCreate a policy that explicitly checks if the service account is still active and denies access if deactivated
Add a custom policy in authentik admin interface that validates account activation status before allowing authentication
🧯 If You Can't Patch
- Implement the policy workaround described in the advisory
- Rotate all OAuth client credentials and audit service account activation status
🔍 How to Verify
Check if Vulnerable:
Check if authentik version is earlier than 2025.8.5 and 2025.10.2, and if OAuth provider authentication with client credentials is configuredCheck Version:
Check authentik admin interface or run: docker exec authentik_server authentik versionVerify Fix Applied:
After updating, verify version is 2025.8.5 or 2025.10.2, then test that deactivated service accounts cannot authenticate📡 Detection & Monitoring
Log Indicators:
- Authentication attempts from deactivated service accounts
- Successful authentications from accounts marked as inactive
Network Indicators:
- OAuth token requests from unexpected sources
SIEM Query:
source="authentik" AND (event="authentication" OR event="token") AND (user_status="inactive" OR account_status="disabled")