5.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64708

CVE-2025-64708: authentik's invitation expiry is delayed by at least 5 minutes

Summary

In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer.

Patches

authentik 2025.8.5 and 2025.10.2 fix this issue; for other versions the workaround below can be used.

Workarounds

Users can create a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on your invitation flow, and deny access if the invitation is not valid.

return not context['flow_plan'].context['invitation'].is_expired

For more information

If users have any questions or comments about this advisory:

Email the authentik team at security@goauthentik.io.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64708

CVE-2025-64708:

5.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
goauthentik.io	go	< 0.0.0-20251119135424-6672e6aaa41e	0.0.0-20251119135424-6672e6aaa41e

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the get_invite method within the InvitationStage class in authentik/stages/invitation/stage.py. The core of the issue is that the application logic did not properly check for invitation expiry at the time of use. Instead, it relied on a periodic background task to clean up expired invitations. An attacker could therefore use an invitation that had expired but had not yet been cleaned up by the background task. The provided patch addresses this by introducing an explicit check for expiration when an invitation is fetched. The change from Invitation.objects.filter(pk=token).first() to Invitation.filter_not_expired(pk=token).first() in the get_invite function directly mitigates this vulnerability by ensuring that expired invitations are never returned as valid.

Vulnerable functions

InvitationStage.get_invite

authentik/stages/invitation/stage.py

The function `get_invite` was vulnerable because it retrieved invitations using `Invitation.objects.filter(pk=token).first()` which did not check if an invitation was expired. This allowed expired invitations to be used until a background task cleaned them up. The patch fixes this by using `Invitation.filter_not_expired(pk=token).first()` to ensure only valid, non-expired invitations are retrieved.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64708: authentik's invitation expiry is delayed by at least 5 minutes

Summary

Patches

Workarounds

For more information

CVE-2025-64708:

5.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-64708: authentik's invitation expiry is delayed by at least 5 minutes

Summary

Patches

Workarounds

For more information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

5.8

5.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI