Pascalwei

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2025.4.4 authentik versions 2025.6.0-rc1 through 2025.6.3 **Description** Deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can retain partial access to the system despite their accounts being deactivated. These users enter a half-authenticated state where they cannot access the API but can authorize applications if they know the application URL. **Recommendations** For versions prior to 2025.4.4, add an expression policy to the user login stage on the respective authentication flow with the expression: `return request.context["pending user"].is active`. For versions 2025.6.0-rc1 through 2025.6.3, add an expression policy to the user login stage on the respective authentication flow with the expression: `return request.context["pending user"].is active`.