GHSA-9g4j-v8w5-7x42: Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-53942

Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources

High severity GitHub Reviewed Published Jul 22, 2025 in goauthentik/authentik • Updated Jul 22, 2025

Package

gomod goauthentik.io (Go)

Affected versions

< 0.0.0-20250722122105-7a4c6b9b50f8

Patched versions

0.0.0-20250722122105-7a4c6b9b50f8

Summary

Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.

Patches

authentik 2025.4.4 and 2025.6.4 fix this issue.

Workarounds

Adding an expression policy to the user login stage on the respective authentication flow with the expression of

return request.context[“pending_user”].is_active

This expression will only activate the user login stage when the user is active.

For more information

If you have any questions or comments about this advisory:

• Email us at security@goauthentik.io.

References

• GHSA-9g4j-v8w5-7x42
• goauthentik/authentik@7a4c6b9
• goauthentik/authentik@c3629d1
• goauthentik/authentik@ce3f9e3

Published to the GitHub Advisory Database

Jul 22, 2025

Last updated

Jul 22, 2025