CVE-2025-64521: 
Chainguard vulnerability analysis and mitigation

CVE-2025-64521 affects the OAuth authentication mechanism in authentik versions <= 2025.10.1 and <= 2025.8.4. The vulnerability allows deactivated service accounts to authenticate to OAuth providers when using clientid and clientsecret credentials. This issue was discovered and disclosed in November 2025 (GitHub Advisory).

The vulnerability stems from improper user management in authentik's OAuth provider implementation. When authenticating with clientid and clientsecret, the system creates a service account but fails to properly validate the account's active status during authentication. While other permissions and federation policies are correctly enforced, the basic account status check is bypassed. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows deactivated service accounts to maintain OAuth authentication capabilities despite being explicitly disabled. This could potentially lead to unauthorized access if administrators assume deactivated accounts are fully restricted. The impact is partially mitigated as other permissions and federation policies continue to function correctly (GitHub Advisory).

The vulnerability has been patched in authentik versions 2025.8.5 and 2025.10.2. For users unable to upgrade, a workaround is available by adding a policy to the application that explicitly checks the service account's status using the Python code: 'return request.user.is_active'. This ensures deactivated accounts cannot authenticate (GitHub Advisory).