CVE-2025-64708
📋 TL;DR
This vulnerability in authentik allows expired invitations to remain valid for up to 5 minutes or longer during system backlog, potentially enabling unauthorized access. It affects all authentik deployments using invitation-based user onboarding. Attackers could exploit this window to gain access with expired invitations.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive systems by using expired invitations during the cleanup delay window, potentially compromising user accounts and organizational resources.
Likely Case
Limited unauthorized access during the 5-minute cleanup window, potentially allowing attackers to create accounts or access restricted areas with expired invitations.
If Mitigated
Minimal impact with proper monitoring and quick patch deployment; expired invitations would be properly invalidated immediately.
🎯 Exploit Status
Exploitation requires an expired invitation token and knowledge of the invitation system. No authentication bypass needed beyond having the invitation token.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.8.5 or 2025.10.2
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2025.8.5 or 2025.10.2 using your package manager or deployment method. 3. Restart authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Create validation policy for invitations
allCreate a policy that explicitly checks invitation validity and bind it to the invitation stage on the invitation flow
Create policy via authentik admin interface: Policy -> Create -> Expression Policy with condition checking invitation validity
🧯 If You Can't Patch
- Disable invitation-based user onboarding temporarily
- Implement external validation of invitation tokens before processing
🔍 How to Verify
Check if Vulnerable:
Check authentik version: if version is below 2025.8.5 and not 2025.10.2, system is vulnerableCheck Version:
docker exec authentik authentik version (for Docker) or check package version via system package managerVerify Fix Applied:
Verify authentik version is 2025.8.5 or 2025.10.2, then test that expired invitations are immediately rejected📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentications using same invitation token
- Authentication attempts with timestamps beyond invitation expiration
Network Indicators:
- Unusual authentication patterns from invitation endpoints
- Multiple account creations in short timeframes
SIEM Query:
source="authentik" AND (event="invitation_used" AND timestamp > invitation_expiry) OR (event="user_created" AND source="invitation" AND rate > 5/min)