CVE-2025-64521 | authentik deactivated service accounts can authenticate to OAuth

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not.

Published: 2025-11-19 Last update: 2025-11-20 Assigner: [email protected] Source: [email protected]

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2025-64521

EPSS CVSS CWE GHSA Affected

Conclusion & alert: CVE-2025-64521 is rated Low Risk (22.7/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.03%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-64521

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-17	0.06%	0.03%	-0.02%
2	2026-03-21	0.05%	0.06%	+0.01%
3	2026-01-26	—	0.05%	—

Full EPSS history (5 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-64521

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.8	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	1.7	2.7	[email protected]

Weakness enumeration for CVE-2025-64521

CWE-289 MITRE ↗

GitHub Security Advisory for CVE-2025-64521

GHSA-xr73-jq5p-ch8r · Severity: medium · Ecosystem: go — authentik allows a deactivated Service account to authenticate to OAuth

Affected software / configurations for CVE-2025-64521

Vendor	Product	Version	Raw CPE
goauthentik	authentik	>= 2025.8.0, < 2025.8.5	cpe:2.3:a:goauthentik:authentik::::::::
goauthentik	authentik	>= 2025.10.0, < 2025.10.2	cpe:2.3:a:goauthentik:authentik::::::::

References for CVE-2025-64521

URL	Tags
https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c	Patch
https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r	Patch Third Party Advisory

cvelogic Threat Intelligence