DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-53942: The Ghost in the Machine: Deactivated Users Haunt authentik's OAuth/SAML Flows

#security #cve #cybersecurity

The Ghost in the Machine: Deactivated Users Haunt authentik's OAuth/SAML Flows

Vulnerability ID: CVE-2025-53942
CVSS Score: 7.4
Published: 2025-07-23

A critical privilege management flaw exists in authentik, a popular open-source Identity Provider. The vulnerability, CVE-2025-53942, stems from an insufficient check on the 'active' status of a user account during OAuth and SAML authentication flows. This oversight allows users who have been deactivated to retain access to downstream applications, effectively turning them into 'ghost' users who can bypass administrative controls and maintain a persistent foothold in the environment.

TL;DR

Deactivated users in authentik aren't really gone. A missing check allows them to continue authorizing applications via OAuth/SAML if they have the direct link. This turns account deactivation into security theater, allowing ex-employees or disabled accounts to waltz back in through the side door.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-269
  • CWE Name: Improper Privilege Management
  • Attack Vector: Network
  • CVSS Score: 7.4 (High)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
  • EPSS Score: 0.07% (Probability of exploitation is low)
  • Impact: Unauthorized Access, Information Disclosure, Privilege Persistence
  • Exploit Status: Proof of Concept / Theoretical

Affected Systems

  • authentik Identity Provider
  • authentik: <= 2025.4.3 (Fixed in: 2025.4.4)
  • authentik: >= 2025.6.0-rc1, < 2025.6.4 (Fixed in: 2025.6.4)

Mitigation Strategies

  • Upgrade authentik to a patched version immediately.
  • If patching is not immediately possible, implement a workaround using an expression policy on the user login stage to enforce a check for active users.
  • Forcefully expire all user sessions after applying the patch or workaround to terminate any lingering 'ghost' sessions.
  • Conduct a full audit of all authentication and authorization flows to identify and fix other potential logic gaps where user status is not properly checked.

Remediation Steps:

  1. Identify your current authentik version.
  2. If running version <= 2025.4.3, upgrade to 2025.4.4 or newer.
  3. If running version >= 2025.6.0-rc1 and < 2025.6.4, upgrade to 2025.6.4 or newer.
  4. After upgrading, navigate to the authentik admin interface and revoke all active user sessions.
  5. Monitor application logs for any suspicious access patterns originating from supposedly deactivated accounts prior to the patch.

References

Read the full report for CVE-2025-53942 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)