CVE-2025-64708 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the open-source Identity Provider software authentik. In versions prior to 2025.8.5 and 2025.10.2, invitation tokens used for onboarding or access provisioning remain valid until a background cleanup task removes expired invitations. This cleanup task is scheduled to run every 5 minutes, but under heavy load or backlog conditions, expired invitations may persist longer than intended. Consequently, an attacker could exploit this window to use expired invitations to gain unauthorized access to the system. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The flaw impacts confidentiality by potentially allowing unauthorized access via stale invitations but does not affect integrity or availability. The fixed versions enforce explicit validation of invitation expiration during the invitation flow, eliminating reliance on background cleanup. A practical mitigation before patching is to implement a policy that checks invitation validity explicitly and denies access if the invitation is expired. No known exploits are reported in the wild as of now. This vulnerability highlights the risks of relying solely on asynchronous cleanup tasks for session or token expiration in identity management systems.

For European organizations, this vulnerability poses a risk of unauthorized access through expired invitation tokens, potentially exposing sensitive identity and access management resources. Since authentik is used as an Identity Provider, exploitation could allow attackers to bypass onboarding controls or gain initial footholds in corporate networks. This can lead to confidentiality breaches, especially in sectors handling sensitive personal data such as finance, healthcare, and government. The medium severity rating reflects that while the impact on integrity and availability is minimal, the confidentiality risk is significant enough to warrant prompt remediation. Organizations with high volumes of invitation workflows or those experiencing heavy system loads may face longer expiration delays, increasing exposure. Additionally, the vulnerability could be leveraged as part of a broader attack chain to escalate privileges or move laterally within networks. Given the critical role of identity providers in access control, exploitation could undermine trust in authentication processes and complicate compliance with GDPR and other data protection regulations.

European organizations should immediately upgrade authentik to versions 2025.8.5 or 2025.10.2 where the vulnerability is fixed. Until patching is possible, implement a policy within authentik that explicitly verifies the validity of invitations during the invitation flow and denies access if invitations are expired. Monitor the backlog of cleanup tasks to ensure expired invitations are removed promptly and consider increasing the frequency of cleanup tasks if feasible. Review and tighten invitation issuance policies to minimize the number and lifespan of active invitations. Conduct audits of invitation usage logs to detect any anomalous or repeated use of expired tokens. Integrate multi-factor authentication (MFA) in the invitation acceptance process to add an additional layer of security. Educate administrators and users about the risks of invitation misuse and enforce strict controls on invitation distribution. Finally, maintain vigilant monitoring for suspicious access patterns that could indicate exploitation attempts.