CVE-2025-64708

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.8.5 authentik versions prior to 2025.10.2

Description authentik, an open-source Identity Provider, had a flaw where invitations remained valid even after expiration. This relied on background tasks to remove expired invitations, with a potential delay of up to 5 minutes, or longer with a large backlog of tasks. The issue stemmed from not validating invitation validity during the invitation process. A workaround involved creating a policy to explicitly check invitation validity and denying access if expired.

Recommendations Update to authentik version 2025.8.5 or later. Update to authentik version 2025.10.2 or later. Implement a policy that explicitly checks whether the invitation is still valid and denies access if the invitation is not valid.