4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64521

GHSA ID

GHSA-xr73-jq5p-ch8r

EPSS Score

CWE

CWE-286

Published

11/19/2025

Updated

11/19/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64521

CVE-2025-64521: authentik allows a deactivated Service account to authenticate to OAuth

Summary

When authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account.

Patches

authentik 2025.8.5 and 2025.10.2 fix this issue, for other versions the workaround below can be used.

Workarounds

You can add a policy to your application that explicitly checks if the service account is still valid, and deny access if not.

return request.user.is_active

For more information

If you have any questions or comments about this advisory:

Email us at security@goauthentik.io.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64521

CVE-2025-64521:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64521

GHSA ID

GHSA-xr73-jq5p-ch8r

EPSS Score

CWE

CWE-286

Published

11/19/2025

Updated

11/19/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
goauthentik.io	go	< 0.0.0-20251119140106-9dbdfc3f1be0	0.0.0-20251119140106-9dbdfc3f1be0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis began by examining the provided commit URL, which was directly linked from the security advisory. The get_commit_infos tool was used to retrieve the patch details. The commit modified three files, but the core logic change was located in authentik/providers/oauth2/views/token.py. The diff revealed that the line user = User.objects.filter(username=username).first() was changed to user = User.objects.filter(username=username, is_active=True).first(). This change occurred within the __post_init_client_credentials_creds method of the TokenView class. The vulnerability is that the original code did not check the is_active status of the user, allowing a deactivated service account to authenticate. The patch rectifies this by adding the is_active=True filter. Therefore, the TokenView.__post_init_client_credentials_creds function is identified as the vulnerable function, as it is responsible for processing the credentials and failed to properly enforce the account status.

Vulnerable functions

TokenView.__post_init_client_credentials_creds

authentik/providers/oauth2/views/token.py

This function handles the client credentials grant type for OAuth2. The vulnerability lies in the fact that it retrieves a user by username without checking if the user's account is active. The patch fixes this by adding `is_active=True` to the database query. An attacker could exploit this by using the credentials of a deactivated service account to obtain an access token.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64521: authentik allows a deactivated Service account to authenticate to OAuth

Summary

Patches

Workarounds

For more information

CVE-2025-64521:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-64521: authentik allows a deactivated Service account to authenticate to OAuth

Summary

Patches

Workarounds

For more information

Technical Details

4.8

4.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI