GHSA-9g4j-v8w5-7x42
GitHub Security Advisory
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
Advisory Details
### Summary
Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.
### Patches
authentik 2025.4.4 and 2025.6.4 fix this issue.
### Workarounds
Adding an expression policy to the user login stage on the respective authentication flow with the expression of
```py
return request.context["pending_user"].is_active
```
This expression will only activate the user login stage when the user is active.
### For more information
If you have any questions or comments about this advisory:
- Email us at [[email protected]](mailto:[email protected]).
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.