CVE-2025-64521 is an authentication bypass vulnerability classified under CWE-289 affecting the open-source Identity Provider software authentik. In versions prior to 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account representing the provider. The vulnerability arises because authentication to this service account remains possible even after the account has been deactivated. This means that an attacker or unauthorized user who gains access to the service account credentials can still authenticate successfully despite the account being disabled, bypassing intended access restrictions. However, other permissions and policies tied to the account are still enforced correctly, and federation with other providers respects assigned policies. The vulnerability requires the attacker to have some level of privilege (PR:H) and user interaction (UI:R), reducing the likelihood of remote exploitation without credentials. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C), with limited confidentiality and integrity impact but no availability impact. The issue was publicly disclosed on November 19, 2025, and fixed in authentik versions 2025.8.5 and 2025.10.2. A recommended workaround before patching is to add explicit policy checks to verify the service account's active status and deny access if the account is invalid. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability could allow attackers with some level of privilege to bypass authentication controls on service accounts within authentik, potentially leading to unauthorized access to OAuth-protected resources. Although other permissions and policies remain enforced, the bypass could facilitate lateral movement or privilege escalation within identity federation environments. This is particularly concerning for organizations relying on authentik for critical identity and access management functions, including government agencies, financial institutions, and large enterprises that use OAuth federation for single sign-on and service integrations. The impact on confidentiality and integrity is limited but non-negligible, as unauthorized authentication could expose sensitive tokens or user data. Availability is not affected. The vulnerability's requirement for prior privileges and user interaction reduces the risk of widespread automated exploitation but does not eliminate targeted attacks. Organizations that have not updated to the fixed versions or implemented the workaround remain vulnerable.

1. Upgrade authentik installations to version 2025.8.5 or 2025.10.2 or later, where the vulnerability is patched. 2. Until patching is possible, implement a strict policy within authentik that explicitly checks the validity and active status of service accounts before allowing authentication, denying access if the account is deactivated. 3. Audit existing service accounts for any that are deactivated but still potentially usable, and revoke or rotate their credentials. 4. Monitor authentication logs for unusual or unauthorized use of service accounts, especially those that should be inactive. 5. Limit the creation and distribution of client_id and client_secret credentials to minimize exposure. 6. Employ multi-factor authentication (MFA) where possible to add an additional layer of security beyond client credentials. 7. Regularly review and update OAuth federation policies to ensure they enforce least privilege principles. 8. Conduct security awareness training for administrators managing authentik to recognize and respond to suspicious authentication activities.