CVE-2025-53942
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2025-53942. We'll provide specific mitigation strategies based on your environment and risk profile.
Description
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
Available Exploits
Related News
Affected Products
Affected Versions:
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
Affected Products (ENISA)
ENISA Scoring
CVSS Score (4.0)
ENISA References
Data provided by ENISA EU Vulnerability Database. Last updated: July 23, 2025
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
GHSA-9g4j-v8w5-7x42Advisory Details
Affected Packages
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
References
Advisory provided by GitHub Security Advisory Database. Published: July 22, 2025, Modified: July 23, 2025