CVE-2025-64708 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the open-source Identity Provider software authentik prior to versions 2025.8.5 and 2025.10.2. The root cause lies in the handling of invitation tokens, which are used to onboard or grant access to users. In affected versions, invitations were considered valid until a background cleanup task removed expired invitations. This cleanup runs every five minutes but can be delayed significantly if there is a backlog of tasks, resulting in invitations remaining valid beyond their intended expiration time. Consequently, an attacker who obtains an expired invitation token could reuse it within this window to gain unauthorized access, compromising confidentiality. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) indicating that the impact extends beyond the vulnerable component. The impact is limited to confidentiality loss, with no integrity or availability impact. The fix introduced in versions 2025.8.5 and 2025.10.2 enforces immediate validation of invitation tokens, preventing expired invitations from being accepted regardless of background cleanup timing. As a workaround, administrators can create and bind a policy that explicitly checks invitation validity during the invitation flow, denying access if the invitation is expired. No known exploits are currently reported in the wild. This vulnerability is particularly relevant for organizations relying on authentik for identity and access management, as it could allow unauthorized access through expired invitations.

For European organizations, this vulnerability poses a risk of unauthorized access through the reuse of expired invitation tokens, potentially exposing sensitive identity and access management data. Since authentik is used as an Identity Provider, unauthorized access could lead to confidentiality breaches of user credentials, access rights, or sensitive internal resources. Although the vulnerability does not affect integrity or availability, the compromise of confidentiality can facilitate further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors with strict data protection regulations like GDPR may face compliance risks and reputational damage if such unauthorized access occurs. The delayed expiration enforcement could be exploited in environments with high invitation issuance rates or where backlog delays are common, increasing the window of vulnerability. European entities using open-source IAM solutions or those that have integrated authentik into their authentication workflows are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Prompt remediation is critical to prevent potential exploitation.

European organizations should immediately upgrade authentik to versions 2025.8.5 or 2025.10.2 where the vulnerability is fixed. Until upgrades can be applied, implement a custom policy within authentik that explicitly checks the validity of invitations during the invitation flow and denies access if the invitation is expired. Monitor the background task queue to ensure timely cleanup of expired invitations and reduce backlog that could delay expiration enforcement. Review and limit the issuance rate of invitations to minimize backlog buildup. Conduct regular audits of invitation usage and access logs to detect any anomalous or repeated use of expired invitations. Integrate multi-factor authentication (MFA) to add an additional layer of security, reducing the impact of compromised invitations. Educate administrators and users about the importance of promptly revoking unused or suspicious invitations. Finally, maintain up-to-date incident response plans that include procedures for identity provider compromises.