Overview
CVE-2025-64708 describes a medium severity vulnerability in Authentik, an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, the system incorrectly treated invitations as valid even after their expiration date. This relied on background tasks to clean up expired invitations, leading to a potential window of opportunity for unauthorized access if the cleanup task was delayed.
Technical Details
In previous versions of Authentik, invitation validation relied on background tasks scheduled to run every 5 minutes. While this approach works under normal circumstances, a large backlog of tasks could delay the cleanup process, extending the period during which expired invitations remained active. This means an attacker could potentially use an expired invitation if they acted within this window, bypassing the intended security controls.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 5.8, indicating a MEDIUM severity. This score reflects the potential for exploitation and the impact on confidentiality and integrity.
Possible Impact
The exploitation of this vulnerability could allow unauthorized users to gain access to protected resources via expired invitations. This could lead to:
- Unauthorized account creation
- Data breaches
- Compromised systems
Mitigation and Patch Steps
The recommended solution is to upgrade to Authentik version 2025.8.5 or 2025.10.2, where this issue is resolved.
If upgrading is not immediately possible, a workaround involves:
- Creating a policy within Authentik that explicitly checks the validity of invitations.
- Binding this policy to the invitation stage of the invitation flow.
- Configuring the policy to deny access if the invitation is expired.
This workaround provides an immediate layer of protection while you plan your upgrade.
