CVE-2025-53942: CWE-269: Improper Privilege Management in goauthentik authentik
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
AI Analysis
Technical Summary
CVE-2025-53942 is a high-severity vulnerability classified under CWE-269 (Improper Privilege Management) affecting the open-source Identity Provider software authentik, developed by goauthentik. The vulnerability exists in versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3. The core issue arises when users who have been deactivated but originally registered or linked their accounts via OAuth or SAML protocols retain a partial, unintended access state within the system. Specifically, these deactivated users enter a "half-authenticated" state where they cannot access the API but can still authorize applications if they know the application's URL. This behavior indicates a flaw in the privilege management logic during the authentication flow, allowing deactivated accounts to bypass full access restrictions. The vulnerability is rooted in the authentication flow's user login stage, which does not properly check the active status of pending users. The recommended workaround involves adding an expression policy to the user login stage that explicitly verifies the user's active status (return request.context["pending_user"].is_active), ensuring that only active users proceed through the login stage. The issue is fully resolved in authentik versions 2025.4.4 and 2025.6.4. The CVSS 4.0 base score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, but with high scope and impact on integrity and availability. No known exploits are currently reported in the wild.
Potential Impact
For European organizations using authentik as their Identity Provider, this vulnerability poses a significant risk to identity and access management security. Deactivated users retaining partial access could lead to unauthorized authorization of applications, potentially enabling malicious actors or former employees to maintain footholds or escalate privileges indirectly. This undermines the trustworthiness of the authentication system and could facilitate lateral movement within networks or unauthorized access to sensitive resources. Given that authentik supports multiple protocols (OAuth, SAML) widely used in enterprise environments, the impact extends to federated identity scenarios common in European enterprises and public sector organizations. The half-authenticated state could bypass standard deactivation controls, complicating incident response and user lifecycle management. This vulnerability could also affect compliance with European data protection regulations (e.g., GDPR) by failing to enforce proper access revocation, potentially leading to data breaches or unauthorized data processing.
Mitigation Recommendations
European organizations should promptly upgrade authentik deployments to versions 2025.4.4 or 2025.6.4 where the vulnerability is fixed. Until upgrades are feasible, administrators should implement the recommended expression policy in the user login stage to verify user active status explicitly, preventing deactivated users from proceeding in the authentication flow. Additionally, organizations should audit existing deactivated accounts linked via OAuth/SAML to identify any that might be in the half-authenticated state and revoke or reset their credentials. Monitoring authentication logs for unusual authorization activity related to deactivated users is advised. Integrating multi-factor authentication (MFA) and strict session management policies can further reduce risk. Finally, organizations should review their identity lifecycle management processes to ensure timely and complete deactivation of user access across all integrated systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy
CVE-2025-53942: CWE-269: Improper Privilege Management in goauthentik authentik
Description
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-53942 is a high-severity vulnerability classified under CWE-269 (Improper Privilege Management) affecting the open-source Identity Provider software authentik, developed by goauthentik. The vulnerability exists in versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3. The core issue arises when users who have been deactivated but originally registered or linked their accounts via OAuth or SAML protocols retain a partial, unintended access state within the system. Specifically, these deactivated users enter a "half-authenticated" state where they cannot access the API but can still authorize applications if they know the application's URL. This behavior indicates a flaw in the privilege management logic during the authentication flow, allowing deactivated accounts to bypass full access restrictions. The vulnerability is rooted in the authentication flow's user login stage, which does not properly check the active status of pending users. The recommended workaround involves adding an expression policy to the user login stage that explicitly verifies the user's active status (return request.context["pending_user"].is_active), ensuring that only active users proceed through the login stage. The issue is fully resolved in authentik versions 2025.4.4 and 2025.6.4. The CVSS 4.0 base score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, but with high scope and impact on integrity and availability. No known exploits are currently reported in the wild.
Potential Impact
For European organizations using authentik as their Identity Provider, this vulnerability poses a significant risk to identity and access management security. Deactivated users retaining partial access could lead to unauthorized authorization of applications, potentially enabling malicious actors or former employees to maintain footholds or escalate privileges indirectly. This undermines the trustworthiness of the authentication system and could facilitate lateral movement within networks or unauthorized access to sensitive resources. Given that authentik supports multiple protocols (OAuth, SAML) widely used in enterprise environments, the impact extends to federated identity scenarios common in European enterprises and public sector organizations. The half-authenticated state could bypass standard deactivation controls, complicating incident response and user lifecycle management. This vulnerability could also affect compliance with European data protection regulations (e.g., GDPR) by failing to enforce proper access revocation, potentially leading to data breaches or unauthorized data processing.
Mitigation Recommendations
European organizations should promptly upgrade authentik deployments to versions 2025.4.4 or 2025.6.4 where the vulnerability is fixed. Until upgrades are feasible, administrators should implement the recommended expression policy in the user login stage to verify user active status explicitly, preventing deactivated users from proceeding in the authentication flow. Additionally, organizations should audit existing deactivated accounts linked via OAuth/SAML to identify any that might be in the half-authenticated state and revoke or reset their credentials. Monitoring authentication logs for unusual authorization activity related to deactivated users is advised. Integrating multi-factor authentication (MFA) and strict session management policies can further reduce risk. Finally, organizations should review their identity lifecycle management processes to ensure timely and complete deactivation of user access across all integrated systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-14T17:23:35.262Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68814a71ad5a09ad0027bdf9
Added to database: 7/23/2025, 8:47:45 PM
Last enriched: 7/23/2025, 9:02:53 PM
Last updated: 7/25/2025, 1:07:45 AM
Views: 6
Related Threats
CVE-2025-8126: SQL Injection in deerwms deer-wms-2
MediumCVE-2025-8125: SQL Injection in deerwms deer-wms-2
MediumCVE-2025-54558: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in OpenAI Codex CLI
MediumCVE-2025-0253: CWE-384 Session Fixation in HCL Software IEM
LowCVE-2025-0252: CWE-319 Cleartext Transmission of Sensitive Information in HCL Software IEM
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.