# CVE-2025-53942

_Reported by [@pascalwei](https://github.com/pascalwei)_

## Insufficient check for account active status when authenticating with OAuth/SAML Sources

### Summary

Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.

### Patches

authentik 2025.4.4 and 2025.6.4 fix this issue.

### Workarounds

Adding an expression policy to the user login stage on the respective authentication flow with the expression of

```py
return request.context["pending_user"].is_active
```

This expression will only activate the user login stage when the user is active.

### For more information

If you have any questions or comments about this advisory:

- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).