CVE-2025-53942: 
vulnerability analysis and mitigation

authentik, an open-source Identity Provider, was found to contain a security vulnerability (CVE-2025-53942) affecting versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3. The vulnerability was discovered in July 2025 and allows deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers to retain partial access to the system despite their accounts being deactivated (GitHub Advisory, NVD).

The vulnerability stems from insufficient checks for account active status when authenticating with OAuth/SAML Sources. Affected users end up in a half-authenticated state where they cannot access the API but can authorize applications if they know the URL of the application. The vulnerability has been assigned a CVSS v4.0 base score of 7.1 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability allows deactivated users to maintain partial access to the system, specifically the ability to authorize applications despite their accounts being deactivated. While these users cannot access the API, they can still interact with applications if they know the specific URLs, potentially bypassing intended access restrictions (GitHub Advisory).

The vulnerability has been fixed in authentik versions 2025.4.4 and 2025.6.4. For users unable to upgrade immediately, a workaround is available by adding an expression policy to the user login stage on the respective authentication flow with the expression: 'return request.context["pendinguser"].isactive'. This ensures that the user login stage is only activated when the user is active (GitHub Advisory).