CVE-2025-53942
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-08-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goauthentik | authentik | to 2025.4.4 (exc) |
| goauthentik | authentik | From 2025.6.0 (inc) to 2025.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53942 is a vulnerability in the authentik identity provider where deactivated users who registered or linked their accounts via OAuth or SAML can still achieve a partial authentication state. In this state, they cannot access the API but can still authorize applications if they know the application's URL. This happens because the system did not properly verify if a user was active during OAuth/SAML authentication flows. The issue was fixed by adding checks in middleware and login stages to immediately log out inactive users and prevent them from proceeding. A workaround before patching involved adding an expression policy to the user login stage to allow only active users to proceed. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows deactivated users to retain partial access to the system by authorizing applications despite their accounts being deactivated. This poses a significant security risk as unauthorized users could potentially grant access to applications, leading to compromise of system confidentiality, integrity, and availability. Although these users cannot access the API, the ability to authorize applications can be exploited if the attacker knows the application's URL. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if deactivated users who registered or linked their accounts via OAuth/SAML are able to partially authenticate and authorize applications despite being inactive. Specifically, monitoring authentication logs or application authorization attempts for inactive users could reveal this issue. There are no explicit commands provided in the resources, but administrators should review authentication flow logs and verify if inactive users are able to authorize applications. Additionally, applying the workaround expression policy (return request.context["pending_user"].is_active) and testing login flows for inactive users can help detect the vulnerability. [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include adding an expression policy to the user login stage in the authentication flow with the expression: return request.context["pending_user"].is_active. This ensures that only active users can proceed through the login stage, preventing inactive users from partially authenticating or authorizing applications. Additionally, upgrading authentik to versions 2025.4.4 or 2025.6.4 (or later) where the vulnerability is fixed is recommended. The fix involves middleware and login stage changes that log out inactive users and prevent them from proceeding. [1, 2, 3, 4]