CVE-2025-64708: 
Chainguard vulnerability analysis and mitigation

A vulnerability was discovered in authentik versions 2025.10.1 and earlier, as well as versions 2025.8.4 and earlier, identified as CVE-2025-64708. The issue relates to invitation expiry functionality where invitations remained valid beyond their expiration time due to delayed cleanup processes. This vulnerability was reported by @melizeche and received a CVSS score of 5.8 (Moderate) (GitHub Advisory).

The vulnerability stems from a design flaw where invitation validations were processed regardless of their expiration status, with the system relying on background tasks for cleanup. These cleanup tasks run on 5-minute intervals, creating a window where expired invitations could still be considered valid. In scenarios with high task backlogs, this delay could extend even further. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 with the following metrics: Network attack vector, Low attack complexity, No privileges required, No user interaction, Changed scope, Low confidentiality impact, and No impact on integrity or availability (GitHub Advisory).

The vulnerability allows expired invitations to remain valid for at least 5 minutes after their expiration time, potentially longer if the system has a large backlog of tasks. This could lead to unauthorized access through expired invitation links, primarily affecting the confidentiality of the system (GitHub Advisory).

The issue has been patched in authentik versions 2025.8.5 and 2025.10.2. For users unable to update immediately, a workaround is available by creating a policy that explicitly checks invitation validity. The workaround involves adding a policy bound to the invitation stage that checks the invitation's expiration status using the code: return not context['flow_plan'].context['invitation'].is_expired (GitHub Advisory).