CVE-2025-64521

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.8.5 authentik versions prior to 2025.10.2

Description authentik is an open-source Identity Provider. Before versions 2025.8.5 and 2025.10.2, when authenticating with client id and client secret to an OAuth provider, authentik created a service account for the provider. Authentication for this account was possible even when the account was deactivated. Other permissions were correctly applied, and federation with other providers still respected assigned policies.

Recommendations Update to authentik version 2025.8.5 or later. Update to authentik version 2025.10.2 or later. As a workaround, add a policy to the application that explicitly checks if the service account is still valid and denies access if it is not.