OAuth Service Account Authentication Issue in Authentik by Goauthentik
CVE-2025-64521

4.8MEDIUM

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 19 November 2025

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2025-64521?

Authentik, an open-source Identity Provider, earlier versions prior to 2025.8.5 and 2025.10.2, exhibit a flaw that permits authentication of service accounts with client_id and client_secret, even when those accounts are marked as deactivated. This oversight poses significant security risks, as the appropriate permissions set for other actions remain intact, ensuring that federation with other providers still adheres to assigned policies. It is recommended that users implement a policy that checks the validity of the service accounts to mitigate risks until they can upgrade to the patched versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

authentik < 2025.10.2 < 2025.10.2

authentik < 2025.8.5 < 2025.8.5

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/commit/9dbdfc3f1...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 5, 2025

JSON

Goauthentik