The vulnerability identified as CVE-2025-64521 affects authentik, an open-source Identity Provider used for OAuth-based authentication. In versions prior to 2025.8.5 and 2025.10.2, authentik creates a service account when authenticating with client_id and client_secret to an OAuth provider. However, due to a flaw, authentication to this service account is possible even if the account has been deactivated. This occurs because the system does not properly verify the active status of the service account during the authentication process, effectively allowing an authentication bypass (CWE-289). Although other permissions and federated policies are correctly enforced, this bypass can enable unauthorized access to services or resources that rely on this service account's authentication. The vulnerability requires an attacker to have high privileges and user interaction, limiting ease of exploitation. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are known, and the vendor has fixed the issue in versions 2025.8.5 and 2025.10.2. A workaround involves adding explicit policy checks to deny access if the service account is invalid or deactivated.

For European organizations, this vulnerability poses a moderate risk, primarily affecting the confidentiality and integrity of systems relying on authentik for OAuth authentication. Unauthorized authentication to deactivated service accounts could allow attackers to access sensitive internal services or data, potentially leading to data leakage or unauthorized actions. While the impact on availability is negligible, the breach of authentication controls can undermine trust in identity management systems, which are critical for compliance with GDPR and other data protection regulations. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use authentik may face increased risks of targeted attacks exploiting this flaw. The requirement for high privileges and user interaction reduces the likelihood of widespread exploitation but does not eliminate the threat in insider or advanced persistent threat scenarios. Failure to patch or implement mitigations could lead to regulatory penalties and reputational damage if unauthorized access results in data breaches.

European organizations should immediately upgrade authentik installations to versions 2025.8.5 or 2025.10.2 where this vulnerability is fixed. Until upgrades are possible, administrators should implement explicit policy checks within authentik to verify the active status of service accounts before granting authentication, denying access if the account is deactivated. Regular audits of service accounts and OAuth client credentials should be conducted to identify and disable unused or stale accounts. Monitoring authentication logs for unusual activity related to service accounts can help detect attempted exploitation. Additionally, organizations should enforce the principle of least privilege on service accounts and restrict their use to necessary scopes only. Integrating multi-factor authentication (MFA) for administrative access and sensitive OAuth operations can further reduce risk. Finally, ensure that incident response plans include procedures for addressing identity provider compromises.