Cybersecurity Vulnerabilities

CVE-2025-64521: Authentik OAuth Service Account Authentication Bypass Vulnerability

November 19, 2025 - By 

Overview

CVE-2025-64521 describes an authentication bypass vulnerability in Authentik, an open-source Identity Provider. This vulnerability affects how Authentik handles authentication for OAuth service accounts created when authenticating with client_id and client_secret to an OAuth provider. Specifically, deactivated service accounts could still be used for authentication in versions prior to 2025.8.5 and 2025.10.2.

Technical Details

When configuring Authentik to use an OAuth provider, a service account is automatically created. In vulnerable versions of Authentik, even if this service account was deactivated (disabled), it could still be used to authenticate. This bypass occurs because the authentication process didn’t properly check the account’s status before allowing access. Note that other permissions were applied correctly, and federation with other providers was not impacted. Assigned policies were also correctly taken into account during federation with other providers.

CVSS Analysis

  • CVSS Score: 4.8 (MEDIUM)
  • The CVSS score of 4.8 indicates a medium severity vulnerability. This score takes into account factors such as the attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. While not critical, this vulnerability allows an attacker to potentially bypass authentication mechanisms, which warrants immediate attention.

Possible Impact

Successful exploitation of this vulnerability could allow an attacker to:

  • Bypass authentication controls.
  • Potentially access resources and services protected by Authentik.
  • Maintain unauthorized access even after a service account is intentionally deactivated.

Mitigation or Patch Steps

The vulnerability is fixed in Authentik versions 2025.8.5 and 2025.10.2. It is strongly recommended to upgrade to one of these versions, or a later version, as soon as possible.

  1. Upgrade Authentik: The primary mitigation is to upgrade your Authentik instance to version 2025.8.5 or 2025.10.2 or later. Refer to the official Authentik documentation for upgrade instructions.
  2. Workaround (if immediate upgrade is not possible): As a temporary workaround, add a policy to the application that explicitly checks if the service account is still valid, and deny access if not. This requires custom configuration and understanding of Authentik’s policy engine.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *