Platform
go
Component
goauthentik.io
Fixed in
2025.4.4
2025.6.1
0.0.0-20250722122105-7a4c6b9b50f8
CVE-2025-53942 describes a vulnerability in Authentik where the system lacks sufficient checks for an account's active status when authenticating through OAuth or SAML sources. This deficiency could allow an attacker to potentially gain unauthorized access. The vulnerability affects versions prior to v0.0.0-20250722122105-7a4c6b9b50f8. A patch has been released to address this issue.
The core impact of CVE-2025-53942 lies in the potential for unauthorized access to Authentik-managed resources. An attacker could exploit this flaw by crafting malicious OAuth or SAML requests that bypass the account active status verification. This could lead to the attacker impersonating a legitimate user and gaining access to sensitive data or performing actions on behalf of that user. The blast radius extends to any systems or applications relying on Authentik for authentication, as a compromised Authentik instance could serve as a gateway to other critical infrastructure. While no specific real-world exploitation has been publicly reported, the potential for abuse is significant, particularly in environments where OAuth/SAML integrations are prevalent.
CVE-2025-53942 was published on 2025-08-11. Its severity is currently assessed as HIGH (CVSS 7.5). There are no known public proof-of-concept exploits available at this time. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the potential for remote exploitation, it is prudent to prioritize remediation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2025-53942 is to immediately upgrade Authentik to version v0.0.0-20250722122105-7a4c6b9b50f8 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting OAuth/SAML access to trusted sources or implementing stricter account activity monitoring. Review and audit all OAuth/SAML configurations to ensure they adhere to security best practices. After upgrading, confirm the fix by attempting to authenticate with a test user account via OAuth/SAML and verifying that the account active status is correctly enforced.
Actualice authentik a la versión 2025.6.4 o posterior. Como alternativa, aplique la solución provisional agregando una política de expresión al flujo de inicio de sesión del usuario con la expresión `return request.context["pending_user"].is_active`. Esto asegura que la etapa de inicio de sesión del usuario solo se active cuando el usuario esté activo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53942 is a HIGH severity vulnerability in Authentik affecting versions before v0.0.0-20250722122105-7a4c6b9b50f8. It allows unauthorized access due to insufficient checks for account active status during OAuth/SAML authentication.
If you are using Authentik versions prior to v0.0.0-20250722122105-7a4c6b9b50f8 and utilize OAuth or SAML authentication, you are potentially affected by this vulnerability.
Upgrade Authentik to version v0.0.0-20250722122105-7a4c6b9b50f8 or later to mitigate this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2025-53942, but the potential for abuse exists.
Refer to the Authentik security advisory for detailed information and updates regarding CVE-2025-53942: [https://goauthentik.io/docs/security/advisories/](https://goauthentik.io/docs/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.