mirror of
https://github.com/goauthentik/authentik
synced 2026-04-28 02:18:11 +02:00
30 lines
1.0 KiB
Markdown
30 lines
1.0 KiB
Markdown
# CVE-2025-53942
|
|
|
|
_Reported by [@pascalwei](https://github.com/pascalwei)_
|
|
|
|
## Insufficient check for account active status when authenticating with OAuth/SAML Sources
|
|
|
|
### Summary
|
|
|
|
Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.
|
|
|
|
### Patches
|
|
|
|
authentik 2025.4.4 and 2025.6.4 fix this issue.
|
|
|
|
### Workarounds
|
|
|
|
Adding an expression policy to the user login stage on the respective authentication flow with the expression of
|
|
|
|
```py
|
|
return request.context["pending_user"].is_active
|
|
```
|
|
|
|
This expression will only activate the user login stage when the user is active.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
|