OAuth Service Account Authentication Issue in Authentik by Goauthentik
CVE-2025-64521

4.8MEDIUM

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 19 November 2025

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2025-64521?

Authentik, an open-source Identity Provider, earlier versions prior to 2025.8.5 and 2025.10.2, exhibit a flaw that permits authentication of service accounts with client_id and client_secret, even when those accounts are marked as deactivated. This oversight poses significant security risks, as the appropriate permissions set for other actions remain intact, ensuring that federation with other providers still adheres to assigned policies. It is recommended that users implement a policy that checks the validity of the service accounts to mitigate risks until they can upgrade to the patched versions.

Affected Version(s)

authentik < 2025.10.2 < 2025.10.2

authentik < 2025.8.5 < 2025.8.5

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/commit/9dbdfc3f1...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 5, 2025

JSON