CVE-2025-64521: authentik allows a deactivated Service account to authenticate to OAuth

November 19, 2025

When authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account.

References

github.com/advisories/GHSA-xr73-jq5p-ch8r
github.com/goauthentik/authentik
github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c
github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r
nvd.nist.gov/vuln/detail/CVE-2025-64521

Code Behaviors & Features

Detect and mitigate CVE-2025-64521 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →