Authentication Flaw in Authentik Open-Source Identity Provider
CVE-2025-64708

5.8MEDIUM

Key Information:

Vendor: Goauthentik
Status: Authentik
Vendor: CVE Published:; 19 November 2025

🔔 Create Goauthentik Vulnerability Alert

What is CVE-2025-64708?

The Authentik open-source Identity Provider has a vulnerability related to its invitation management system. In versions before 2025.8.5 and 2025.10.2, invitations can be accepted even if they have expired, as the cleanup process for expired invitations is delayed by background tasks. This could lead to a security issue, particularly when a large backlog of tasks exists, potentially extending the time for cleanup beyond five minutes. To mitigate this issue, upgrading to the latest versions is advised, and implementing a policy to validate invitations during the invitation flow can serve as a temporary workaround.

Affected Version(s)

authentik < 2025.10.2 < 2025.10.2

authentik < 2025.8.5 < 2025.8.5

References

https://github.com/goauthentik/authentik/security/advisor...

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/commit/6672e6aaa...

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 10, 2025

JSON