CVE-2025-53942

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.4.4 authentik versions 2025.6.0-rc1 through 2025.6.3

Description Deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can retain partial access to the system despite their accounts being deactivated. These users enter a half-authenticated state where they cannot access the API but can authorize applications if they know the application URL.

Recommendations For versions prior to 2025.4.4, add an expression policy to the user login stage on the respective authentication flow with the expression: return request.context["pending user"].is active. For versions 2025.6.0-rc1 through 2025.6.3, add an expression policy to the user login stage on the respective authentication flow with the expression: return request.context["pending user"].is active.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

BIT-AUTHENTIK-2025-53942

CVE-2025-53942

GHSA-9G4J-V8W5-7X42

GO-2025-3822

OPENSUSE-SU-2025:15434-1

SUSE-SU-2025:02912-1

Affected Products

Authentik

CVE-2025-53942

Weakness Enumeration

Related Identifiers

Affected Products

References · 50